HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-46321Published Modified CNA Linux

CVE-2026-46321: tun: free page on short-frame rejection in tun_xdp_one()

In the Linux kernel, the following vulnerability has been resolved: tun: free page on short-frame rejection in tun_xdp_one() tun_xdp_one() returns -EINVAL on a frame shorter than ETH_HLEN without freeing the page that vhost_net_build_xdp() allocated for it. tun_sendmsg() discards that -EINVAL and still returns total_len, so vhost_tx_batch() takes the success path and never frees the page; each short frame in a batch leaks one page-frag chunk. A local process that can open /dev/net/tun and /dev/vhost-net can hit this path: it attaches a tun/tap device as the vhost-net backend and feeds TX descriptors whose length minus the virtio-net header is below ETH_HLEN. Each kick leaks the page-frag chunks for that batch, and a tight submission loop exhausts host memory and triggers an OOM panic. Free the page before returning -EINVAL, matching the XDP-program error path in the same function.

Metrics

CVSS v3.1
7.1
Severity
HIGH
Fixed in
0
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A memory leak (page-fragment leak on short-frame rejection) exists in the Linux kernel's tun/vhost-net subsystem. The flaw is reachable locally by any process that can open /dev/net/tun and /dev/vhost-net without requiring authentication, and no victim interaction is needed. Successful exploitation allows an unprivileged local process to exhaust host memory and trigger an out-of-memory panic, causing a full denial of service. Patched-image rebuilds at the fix versions are available on HarborGuard for environments running an affected kernel version.

HarborGuard Coverage

Detection

Detection of CVE-2026-46321 is available across every HarborGuard environment; the CVE is ingested from upstream Linux kernel feeds and matched against customer images, including custom-built images, within minutes of publication. Coverage extends to any image whose kernel or kernel-module packages fall within the affected version ranges.

Available
Triage

HarborGuard scores this CVE at CVSS 7.1 (HIGH) and applies per-environment compliance policy weighting to determine urgency and routing. Triage results are available for delivery to the appropriate team inbox within each customer organization based on configured notification rules.

Available
Patch

A patched-image rebuild at the fix commits (including stable branches 5.5, 5.11, and 5.16) is available on HarborGuard for environments running an affected kernel version. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network access to the target is required.

  • AuthenticationNot required

    No credentials are needed; any local process with access to /dev/net/tun and /dev/vhost-net can trigger the leak.

  • Victim interactionNot required

    The exploit runs entirely within the attacker's own process and requires no action from another user or service.

  • Attack complexityDetail

    Attack complexity is low; the exploit is reliable and condition-free, requiring only a tight descriptor submission loop to exhaust memory.

Blast Radius

  • The attacker continuously leaks page-fragment chunks from the host kernel memory allocator with each batch of short TX descriptors submitted.
  • Sustained submission exhausts available host memory, forcing the kernel's out-of-memory killer to fire and ultimately causing an OOM panic.
  • The OOM panic brings down the host system or container runtime, taking all co-located workloads and services offline.

How HarborGuard Handles This

Available on HarborGuard: detection is matched against images containing affected Linux kernel packages within minutes of CVE ingestion. For environments running a kernel version within the affected ranges, a rebuilt image pinned to the patched commits is available. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, executes a regression test run, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Until a kernel upgrade is applied, compensating controls include restricting unprivileged access to /dev/net/tun and /dev/vhost-net via Linux DAC permissions or a seccomp/AppArmor profile, and applying memory pressure alerting to catch abnormal page-allocator consumption early.

See how HarborGuard automates this

Fix available

037a1c268c2c8090bf4dc552d732bd23ba36f8eb05.55.115.166.26.76.106.116.12.936.18.3569863ff2720a0e9871f1a5710f2a33a94217fee07.0.127.1-rc698c67be9eb9de72465a071949e84a3cdb8fab5a3f4feb1e20058e407cb00f45aff47f5b7e19a6bbf
Affected packages
  • Linux / Linux
    < 69863ff2720a0e9871f1a5710f2a33a94217fee0 (from 049584807f1d797fc3078b68035450a9769eb5c3) · < 37a1c268c2c8090bf4dc552d732bd23ba36f8eb0 (from 049584807f1d797fc3078b68035450a9769eb5c3) · < 98c67be9eb9de72465a071949e84a3cdb8fab5a3 (from 049584807f1d797fc3078b68035450a9769eb5c3) · < f4feb1e20058e407cb00f45aff47f5b7e19a6bbf (from 049584807f1d797fc3078b68035450a9769eb5c3) · 32b0aaba5dbc85816898167d9b5d45a22eae82e9 · 6100e0237204890269e3f934acfc50d35fd6f319
  • Linux / Linux
    6.11
    Fixed in 0, 6.12.93, 6.18.35, 7.0.12, 7.1-rc6
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
References