2486985 – (CVE-2026-46320) CVE-2026-46320 kernel: tap: free page on error paths in tap_get_user_xdp()

Bug 2486985 (CVE-2026-46320) - CVE-2026-46320 kernel: tap: free page on error paths in tap_get_user_xdp()

Summary: CVE-2026-46320 kernel: tap: free page on error paths in tap_get_user_xdp()

Keywords:
Status:	NEW
Alias:	CVE-2026-46320
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-06-09 13:01 UTC by OSIDB Bzimport
Modified:	2026-06-09 16:52 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-06-09 13:01:39 UTC

In the Linux kernel, the following vulnerability has been resolved:

tap: free page on error paths in tap_get_user_xdp()

tap_get_user_xdp() rejects a frame shorter than ETH_HLEN with -EINVAL,
and returns -ENOMEM when build_skb() fails. Both paths jump to the err
label without freeing the page that vhost_net_build_xdp() allocated for
the frame. tap_sendmsg() discards the per-buffer return value and always
returns 0, so vhost_tx_batch() takes the success path and never frees
the page; each rejected frame in a batch leaks one page-frag chunk.

Free the page on both error paths, before the skb is built. This is the
tap counterpart of the same leak in tun_xdp_one().

Comment 1 Keith Grant 2026-06-09 16:51:14 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026060925-CVE-2026-46320-71d9@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.