CVE-2026-46320

Summary

In the Linux kernel, the following vulnerability has been resolved:

tap: free page on error paths in tap_get_user_xdp()

tap_get_user_xdp() rejects a frame shorter than ETH_HLEN with -EINVAL, and returns -ENOMEM when build_skb() fails. Both paths jump to the err label without freeing the page that vhost_net_build_xdp() allocated for the frame. tap_sendmsg() discards the per-buffer return value and always returns 0, so vhost_tx_batch() takes the success path and never frees the page; each rejected frame in a batch leaks one page-frag chunk.

Free the page on both error paths, before the skb is built. This is the tap counterpart of the same leak in tun_xdp_one().

Affected Software

VendorProductVersion RangeStatus
LinuxLinux0efac27791ee068075d80f07c55a229b1335ce12 < 8d03e65eb6cfbffec471a6b65416f93679bf3286affected
LinuxLinux0efac27791ee068075d80f07c55a229b1335ce12 < f979971835dddbca86cf99e3b2e2b94a408a1ab2affected
LinuxLinux0efac27791ee068075d80f07c55a229b1335ce12 < 3f52a86a482a69294c50a5a2a097bd6f4104990aaffected
LinuxLinux0efac27791ee068075d80f07c55a229b1335ce12 < d30aac0fa00ca0afc3e08174cf7f974a66bdcf05affected
LinuxLinux0efac27791ee068075d80f07c55a229b1335ce12 < d68eab61944a9b0826fa2e954e42db1aa3201b7aaffected
LinuxLinux0efac27791ee068075d80f07c55a229b1335ce12 < e27c17346628cb56843a83f93ac63c314c00f388affected
LinuxLinux0efac27791ee068075d80f07c55a229b1335ce12 < 18a84c35842e19cd3c5534d8cee73d31863f696daffected
LinuxLinux0efac27791ee068075d80f07c55a229b1335ce12 < 3bcf7aec6a9d16438f2cec29f5d7c8d5b8edf9b2affected
LinuxLinux4.20affected
LinuxLinux0 < 4.20unaffected
LinuxLinux5.10.259 <= 5.10.*unaffected
LinuxLinux5.15.210 <= 5.15.*unaffected
LinuxLinux6.1.176 <= 6.1.*unaffected
LinuxLinux6.6.143 <= 6.6.*unaffected
LinuxLinux6.12.94 <= 6.12.*unaffected
LinuxLinux6.18.36 <= 6.18.*unaffected
LinuxLinux7.0.12 <= 7.0.*unaffected
LinuxLinux7.1 <= *unaffected

Weaknesses

References