MEDIUM 5.5

CVE-2026-46153

A memory leak exists in the Linux kernel's VLAN (802.1Q) network driver. When network administrators repeatedly configure and then clear egress QoS priority mappings on VLAN interfaces, the kernel fails to properly delete the cleared mappings. Instead, it retains them as empty placeholders (tombstones) in memory. Over time, this causes memory to accumulate and leak, eventually exhausting system resources when the VLAN device is torn down. The fix involves properly deleting these cleared mappings after a safe grace period rather than leaving them in place.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
Affected products
6 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: 8021q: delete cleared egress QoS mappings vlan_dev_set_egress_priority() currently keeps cleared egress priority mappings in the hash as tombstones. Repeated set/clear cycles with distinct skb priorities therefore accumulate mapping nodes until device teardown and leak memory. Delete mappings when vlan_prio is cleared instead of keeping tombstones. Now that the egress mapping lists are RCU protected, the node can be unlinked safely and freed after a grace period.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability resides in vlan_dev_set_egress_priority() within the Linux kernel's 8021q VLAN driver. The function manages a hash table of egress priority mappings that translate socket buffer (skb) priorities to VLAN priority codes. Previously, when a mapping was cleared (vlan_prio set to 0), the kernel removed the mapping data but retained the node in the hash table as a tombstone entry. Repeated set/clear cycles with different skb priorities would accumulate these stale nodes indefinitely. With RCU (Read-Copy-Update) synchronization now protecting the egress mapping lists, the kernel can safely unlink cleared nodes and free them after an RCU grace period, preventing the accumulation. This resolves the memory leak without introducing synchronization races.

Business impact

Memory leaks in network drivers degrade system stability and availability. Systems running affected Linux kernel versions with active VLAN QoS configuration will gradually consume more memory as mappings are repeatedly set and cleared—a common pattern in dynamic network provisioning environments. Over weeks or months, this exhaustion can force unplanned reboots or service interruptions. For organizations relying on VLAN-based traffic prioritization in data center or cloud environments, this could affect availability and require premature system maintenance cycles.

Affected systems

All Linux kernel versions containing the vulnerable vlan_dev_set_egress_priority() implementation are affected. This includes recent stable and long-term support (LTS) kernel branches. The vulnerability is particularly relevant to systems actively using VLAN interfaces with QoS egress priority mappings, including cloud platforms, container hosts, and data center infrastructure. Verify the specific kernel versions running in your environment against the Linux kernel security advisory for the precise affected range.

Exploitability

This vulnerability requires local access and the ability to configure VLAN network interfaces—specifically to set and clear egress QoS priority mappings. An unprivileged user cannot easily trigger this on a shared system; however, administrators, containerized workloads with network privileges, or local root users can induce the leak. The memory exhaustion is a denial-of-service condition rather than a data breach or privilege escalation vector. Exploitation requires intentional or malicious repeated reconfiguration, making this lower priority than remote or privilege-escalation vulnerabilities.

Remediation

Apply the Linux kernel security patch that implements proper deletion of cleared egress QoS mappings. Verify the exact patched kernel version applicable to your distribution (verify against the vendor advisory). Systems should prioritize updating to a kernel version that includes the fix, particularly those running services that dynamically manage VLAN QoS rules. In environments where kernel updates are infrequent, monitor memory usage on affected hosts to detect early signs of the leak.

Patch guidance

Consult your Linux distribution's security advisory for the specific kernel version containing this fix. Major distributions (Red Hat, Ubuntu, Debian, SUSE, etc.) will backport this patch to their supported kernel branches. Apply patches according to your organization's change management and system restart policies. Kernel updates typically require a reboot to take effect. Test patches in non-production environments first. Document which systems were running vulnerable versions prior to patching.

Detection guidance

Monitor kernel memory usage trends on systems with active VLAN interfaces, particularly memory allocated to network subsystem structures. Track the number of cleared QoS mappings or monitor the hash table size via kernel debug interfaces. Long-term memory growth without corresponding workload increase, especially on systems repeatedly reconfiguring VLAN QoS rules, may indicate this leak. Automated monitoring tools should alert on sustained memory pressure correlated with VLAN configuration changes. System administrators should review VLAN configuration scripts or orchestration tools that dynamically adjust QoS mappings.

Why prioritize this

While this is a local, limited-impact memory leak rather than a remote code execution vulnerability, it warrants timely remediation because memory exhaustion can degrade availability in production environments. The MEDIUM CVSS score (5.5) reflects the local-access requirement and limited attack surface. Priority should be elevated for systems with frequent VLAN QoS reconfiguration, data center infrastructure, and long-running services where memory leaks compound. Organizations using container orchestration or software-defined networking with dynamic QoS tuning should prioritize patching sooner.

Risk score, explained

The CVSS 3.1 score of 5.5 (MEDIUM) reflects: local attack vector (AV:L) since interactive shell or privileged access is required; low complexity (AC:L) to trigger the leak; low privilege requirements (PR:L) to reconfigure network interfaces; no user interaction needed (UI:N); and high availability impact (A:H) from memory exhaustion denial-of-service. There is no confidentiality or integrity impact. The score appropriately weights this as a local availability concern rather than a critical threat, but the practical impact on long-running infrastructure justifies prompt attention.

Frequently asked questions

Can this vulnerability be exploited remotely?

No. Exploitation requires local access to the system and the ability to configure VLAN interfaces and their QoS mappings. Remote network traffic alone cannot trigger the leak. However, unprivileged local users with network configuration capabilities (or containerized workloads with CAP_NET_ADMIN) can induce it.

How quickly does memory exhaust after triggering this leak?

The rate depends on how frequently QoS mappings are set and cleared. In continuous production scenarios with dynamic provisioning or orchestration systems repeatedly tuning VLAN priorities, observable memory growth may occur over days to weeks. In lab or periodic reconfiguration scenarios, the leak accumulates more slowly. Long-running systems will eventually be affected.

Are there workarounds if I cannot patch immediately?

Minimize the frequency of VLAN QoS reconfiguration if possible, and configure static QoS mappings rather than dynamic ones. Monitor memory usage closely on affected systems. Plan kernel updates at your next scheduled maintenance window. There is no configuration-level mitigation within the kernel itself; patching is the definitive fix.

Does this affect all VLAN configurations or only specific setups?

The leak only manifests when egress QoS priority mappings are actively used and then cleared. Systems using VLAN interfaces without QoS egress priority configuration, or systems that set mappings once and never clear them, will not encounter this leak. It is specific to environments with dynamic QoS policy management.

This analysis is provided for informational purposes and represents SEC.co's interpretation of publicly available vulnerability data. Readers should independently verify all technical claims, affected product versions, and patch availability against official Linux kernel security advisories and their distribution's security bulletins. The CVSS score and severity rating are derived from the official CVE record and reflect general risk classification; actual risk in your environment depends on system configuration, network isolation, and workload specifics. SEC.co makes no warranty regarding the accuracy or completeness of this analysis and disclaims liability for decisions made in reliance on it. Always consult your vendor advisories and conduct internal testing before deploying security patches in production environments. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).

Affected vendors

Related vulnerabilities