CVE-2026-52981

Summary

In the Linux kernel, the following vulnerability has been resolved:

neigh: let neigh_xmit take skb ownership

neigh_xmit always releases the skb, except when no neighbour table is found. But even the first added user of neigh_xmit (mpls) relied on neigh_xmit to release the skb (or queue it for tx).

sashiko reported: If neigh_xmit() is called with an uninitialized neighbor table (for example, NEIGH_ND_TABLE when IPv6 is disabled), it returns -EAFNOSUPPORT and bypasses its internal out_kfree_skb error path. Because the return value of neigh_xmit() is ignored here, does this leak the SKB?

Assume full ownership and remove the last code path that doesn't xmit or free skb.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux4fd3d7d9e868ffbdb0e7a67c5c8e9dfdcd846a62 < 8a89054a1ec0767aec25ed2bbac933da6ba3cf5aaffected
LinuxLinux4fd3d7d9e868ffbdb0e7a67c5c8e9dfdcd846a62 < 9247d59ca15bf60a57dca08103f055d8a4340877affected
LinuxLinux4fd3d7d9e868ffbdb0e7a67c5c8e9dfdcd846a62 < 0084712e0bee204b284510cdb63182fd5a30c2b7affected
LinuxLinux4fd3d7d9e868ffbdb0e7a67c5c8e9dfdcd846a62 < 63063ba60d2dc334e34f1e3f9271d7f3f6f30307affected
LinuxLinux4fd3d7d9e868ffbdb0e7a67c5c8e9dfdcd846a62 < 445e45a2c3a078316a62d2d331a570cf34ef5079affected
LinuxLinux4fd3d7d9e868ffbdb0e7a67c5c8e9dfdcd846a62 < 4438113be604ee67a7bf4f81da6e1cca41332ce4affected
LinuxLinux4.1affected
LinuxLinux0 < 4.1unaffected
LinuxLinux6.1.175 <= 6.1.*unaffected
LinuxLinux6.6.141 <= 6.6.*unaffected
LinuxLinux6.12.91 <= 6.12.*unaffected
LinuxLinux6.18.33 <= 6.18.*unaffected
LinuxLinux7.0.10 <= 7.0.*unaffected
LinuxLinux7.1 <= *unaffected

Weaknesses

References