{"@context":"https://openvex.dev/ns/v0.2.0","@id":"https://database.harborguard.co/cve/CVE-2026-46321/vex.json","author":"HarborGuard Database","role":"Document Creator","timestamp":"2026-06-14T04:30:16.094Z","version":1,"tooling":"HarborGuard Database (https://database.harborguard.co)","statements":[{"vulnerability":{"name":"CVE-2026-46321","@id":"https://www.cve.org/CVERecord?id=CVE-2026-46321","description":"In the Linux kernel, the following vulnerability has been resolved:\n\ntun: free page on short-frame rejection in tun_xdp_one()\n\ntun_xdp_one() returns -EINVAL on a frame shorter than ETH_HLEN without\nfreeing the page that vhost_net_build_xdp() allocated for it.\ntun_sendmsg() discards that -EINVAL and still returns total_len, so\nvhost_tx_batch() takes the success path and never frees the page; each\nshort frame in a batch leaks one page-frag chunk.\n\nA local process that can open /dev/net/tun and /de"},"products":[{"@id":"cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*","identifiers":{"cpe23":"cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*"}},{"@id":"cpe:2.3:a:linux:linux:6.11:*:*:*:*:*:*:*","identifiers":{"cpe23":"cpe:2.3:a:linux:linux:6.11:*:*:*:*:*:*:*"}}],"status":"affected","action_statement":"Update to a fixed version: 0, 37a1c268c2c8090bf4dc552d732bd23ba36f8eb0, 5.5, 5.11, 5.16, 6.2, 6.7, 6.10, 6.11, 6.12.93, 6.18.35, 69863ff2720a0e9871f1a5710f2a33a94217fee0, 7.0.12, 7.1-rc6, 98c67be9eb9de72465a071949e84a3cdb8fab5a3, f4feb1e20058e407cb00f45aff47f5b7e19a6bbf.","timestamp":"2026-06-14T04:30:16.094Z"}]}