HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-46320Published Modified CNA Linux

CVE-2026-46320: tap: free page on error paths in tap_get_user_xdp()

In the Linux kernel, the following vulnerability has been resolved: tap: free page on error paths in tap_get_user_xdp() tap_get_user_xdp() rejects a frame shorter than ETH_HLEN with -EINVAL, and returns -ENOMEM when build_skb() fails. Both paths jump to the err label without freeing the page that vhost_net_build_xdp() allocated for the frame. tap_sendmsg() discards the per-buffer return value and always returns 0, so vhost_tx_batch() takes the success path and never frees the page; each rejected frame in a batch leaks one page-frag chunk. Free the page on both error paths, before the skb is built. This is the tap counterpart of the same leak in tun_xdp_one().

Metrics

CVSS v3.1
7.4
Severity
HIGH
Fixed in
0
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A memory-leak vulnerability exists in the Linux kernel's tap (virtual network device) subsystem, specifically in the tap_get_user_xdp() function. An attacker on the same network segment can send a stream of malformed or short Ethernet frames to exhaust the host's memory, requiring no authentication to trigger. Successful exploitation causes a denial of service by steadily leaking page-fragment allocations until the host runs out of memory. A patched-image rebuild at the fix commit versions is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream kernel security feeds within minutes of publication and matched against customer images, including custom-built images that bundle an affected kernel version. Any image whose kernel falls in the vulnerable range is flagged automatically in both registry scans and CI/CD pipeline checks.

Available
Triage

HarborGuard scores this CVE at 7.4 HIGH using the CVSS v3.1 vector and weights it against each environment's compliance policy, which may escalate or suppress priority depending on workload classification. Triage findings are routed to the inbox or ticketing integration configured for each customer organization.

Available
Patch

A patched-image rebuild pinned to the fix commits (18a84c35842e19cd3c5534d8cee73d31863f696d and 3bcf7aec6a9d16438f2cec29f5d7c8d5b8edf9b2) becomes available on HarborGuard once upstream publishes the fixed kernel packages. For customers who opt into auto-remediation, HarborGuard performs a rebuild, runs a regression test suite, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityDetail

    The attack vector is adjacent-network (AV:A), meaning the attacker must be on the same LAN, VLAN, or VPN segment as the host running the tap device; remote internet-based exploitation is not possible without first gaining that adjacency.

  • AuthenticationNot required

    No credentials or session token are needed; any unauthenticated host on the adjacent network can send malformed frames to trigger the leak.

  • Victim interactionNot required

    The vulnerability is triggered purely by sending crafted network frames; no user action or approval on the target host is required.

  • Attack complexityDetail

    Attack complexity is low (AC:L), meaning the exploit is reliable and requires no special timing, race conditions, or knowledge of memory layout; an attacker simply needs to send frames shorter than ETH_HLEN or frames that cause build_skb() to fail.

Blast Radius

  • The attacker steadily exhausts the host's page-fragment pool, one leaked chunk per rejected frame in each XDP batch, degrading and eventually halting normal memory allocation on the host.
  • Once memory is sufficiently depleted, the affected kernel process and any co-located containers or workloads sharing the host can be crashed or rendered unresponsive (Availability: HIGH).
  • No data is disclosed to the attacker; confidentiality and integrity of stored data are unaffected by this vulnerability.

How HarborGuard Handles This

Available on HarborGuard: images are scanned against the affected kernel version ranges as soon as the CVE is ingested, giving engineering teams immediate visibility into which workloads carry a vulnerable kernel. Where compliance policy permits, customers who have enabled auto-remediation receive a rebuilt image pinned to the patched commit, a regression-test run, and a PR opened against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. For customers who manage patching manually, HarborGuard surfaces the exact fix commits and affected version ranges in the CVE detail view so that kernel upgrade PRs can be targeted precisely. As a compensating control while a patch is being applied, network-policy rules that restrict which adjacent hosts can reach the tap device interface reduce the exposure window without requiring a kernel change.

See how HarborGuard automates this

Fix available

018a84c35842e19cd3c5534d8cee73d31863f696d3bcf7aec6a9d16438f2cec29f5d7c8d5b8edf9b27.0.127.1-rc6
Affected packages
  • Linux / Linux
    < 18a84c35842e19cd3c5534d8cee73d31863f696d (from 0efac27791ee068075d80f07c55a229b1335ce12) · < 3bcf7aec6a9d16438f2cec29f5d7c8d5b8edf9b2 (from 0efac27791ee068075d80f07c55a229b1335ce12)
  • Linux / Linux
    4.20
    Fixed in 0, 7.0.12, 7.1-rc6
CVSS Vector
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
References