CVE-2026-46320: Linux Kernel TAP Device Memory Leak – HIGH Severity DoS
A memory leak in the Linux kernel's TAP (network) device driver causes pages of system memory to accumulate and never be freed when certain network packets are rejected or fail to process. Specifically, when the driver receives a packet that is too short or encounters an error while building a network packet buffer, it bypasses the cleanup routine that should release allocated memory. In batch-processing scenarios, this leak compounds—each rejected frame discards a page fragment, potentially exhausting system memory over time and leading to a denial of service.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.4 HIGH · CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
- Weaknesses (CWE)
- —
- Affected products
- 6 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-07-08
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: tap: free page on error paths in tap_get_user_xdp() tap_get_user_xdp() rejects a frame shorter than ETH_HLEN with -EINVAL, and returns -ENOMEM when build_skb() fails. Both paths jump to the err label without freeing the page that vhost_net_build_xdp() allocated for the frame. tap_sendmsg() discards the per-buffer return value and always returns 0, so vhost_tx_batch() takes the success path and never frees the page; each rejected frame in a batch leaks one page-frag chunk. Free the page on both error paths, before the skb is built. This is the tap counterpart of the same leak in tun_xdp_one().
8 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-46320 is a use-after-free prevention issue in tap_get_user_xdp() within the Linux kernel's TAP driver. The function allocates a page via vhost_net_build_xdp() but fails to free it on two error paths: (1) when a frame is shorter than ETH_HLEN (minimum Ethernet header length), returning -EINVAL, and (2) when build_skb() fails, returning -ENOMEM. Because tap_sendmsg() discards per-buffer return values and always returns 0 to the caller, vhost_tx_batch() never triggers cleanup and the page remains allocated. This mirrors an identical vulnerability previously fixed in tun_xdp_one(). The leak is most severe in high-frequency batch packet scenarios.
Business impact
Memory exhaustion from repeated page-fragment leaks can degrade network availability and system responsiveness. On systems under sustained network traffic—particularly those handling packet filtering, virtual network switching, or guest-to-host communication in virtualized environments—this vulnerability can eventually force kernel OOM kills or system unavailability. Virtual machine hosts and container platforms relying on TAP devices are at elevated risk. The issue is silent; no explicit error is logged, making detection through operational metrics difficult.
Affected systems
The Linux kernel is affected. The vulnerability exists in the TAP device driver, which is commonly used in virtualization (KVM/QEMU), container networking, and packet processing scenarios. Any kernel version containing the vulnerable tap_get_user_xdp() function is affected. Systems using TAP for vhost_net bridging, virtual machine networking, or high-volume packet forwarding face the greatest exposure.
Exploitability
Exploitability requires network access to trigger packet rejection or build_skb() failures on a TAP device. No special privileges are required; an attacker on the same network segment can send malformed or undersized packets to the target's TAP device. This is classified as a network-adjacent attack (CVSS AV:A) without user interaction. However, practical exploitation depends on the TAP device being actively monitored or accessible to untrusted network traffic. In isolated or controlled environments, exposure is lower; public-facing or multi-tenant systems face higher risk.
Remediation
Apply the upstream Linux kernel patch that adds explicit page freeing before the error return in tap_get_user_xdp(). The fix adds vhost_net_frame_free() or equivalent cleanup calls on both error paths (frame too short and build_skb() failure) to match the correction already applied to tun_xdp_one(). Verify the specific patch version against your distribution's advisory and test network performance after patching.
Patch guidance
Contact your Linux distribution (Red Hat, Ubuntu, Debian, SUSE, etc.) for a kernel update incorporating the CVE-2026-46320 fix. Verify patch availability and integration status in your kernel branch before updating. Test in a non-production environment to confirm no regression in TAP device performance or vhost_net bridging functionality. For custom-compiled kernels, apply the upstream fix commit to your source tree, rebuild, and validate.
Detection guidance
Monitor kernel memory pressure metrics (available memory, MemAvailable in /proc/meminfo) on systems running TAP devices under network load. Correlate drops in available memory with TAP packet traffic. Check kernel logs for OOM killer invocations (grep oom-kill /var/log/kern.log or journalctl). Page-cache growth without corresponding application memory allocation may indicate the leak. Network monitoring tools can identify patterns of malformed or undersized packets sent to TAP devices. Establish baseline memory behavior before and after patch application to validate the fix.
Why prioritize this
This vulnerability merits HIGH priority for systems actively using TAP devices in production (virtual machine hosts, container platforms, packet filtering appliances). The attack surface is network-adjacent and requires no authentication, the impact is denial of service via resource exhaustion, and the leak compounds in batch scenarios. However, organizations with isolated or air-gapped TAP deployments face lower risk. Prioritize patching for public-facing or multi-tenant virtualization environments first.
Risk score, explained
The CVSS 3.1 score of 7.4 (HIGH) reflects: (1) network-adjacent attack vector (AV:A)—attacker must be on the same network segment, reducing exposure vs. remotely exploitable issues; (2) low attack complexity, no privileges or user interaction required; (3) high impact on availability (A:H) through memory exhaustion and potential system crash; (4) scope change (S:C) because the TAP driver runs in kernel context affecting all processes. The score does not account for the requirement that the TAP device be actively accessible to untrusted traffic, which may reduce practical risk in some environments.
Frequently asked questions
Is this vulnerability remotely exploitable over the internet?
No. The vulnerability requires network-adjacent access (same network segment) to send malformed packets to the TAP device. It cannot be exploited from the internet unless the TAP device is directly exposed to public networks, which is uncommon in secure deployments.
How quickly does the memory leak accumulate?
The leak rate depends on the packet rejection rate and page-fragment size. In normal networks, rejection is infrequent, but in adversarial scenarios (repeated undersized packets in a batch), one page fragment is lost per rejected packet. Under sustained attack, a system could exhaust memory in hours to days depending on available RAM and the attack rate.
Does this affect containerized deployments?
Yes, if the host kernel uses TAP for container networking or bridge management. Container runtimes and orchestration platforms relying on TAP interfaces for guest-to-host or inter-container communication should be patched. Containers themselves do not contain this code; the vulnerability is in the host kernel.
Are there workarounds if I cannot patch immediately?
Partial mitigations include: reducing TAP device exposure to untrusted networks, implementing ingress packet filtering to reject undersized frames before they reach the TAP driver, and monitoring memory pressure with automated alerts. However, patching is the definitive fix and should be prioritized once scheduling permits.
This analysis is based on the CVE-2026-46320 disclosure and upstream kernel advisories as of the publication date. CVSS scores and severity assessments reflect the stated vector and context; practical risk may vary based on network topology, TAP device exposure, and kernel version. Readers should verify patch availability and compatibility with their specific Linux distribution and kernel version before applying updates. SEC.co does not provide warranty for the accuracy of future patch versions or vendor implementations. This write-up is for informational purposes and should inform, not replace, your organization's vulnerability assessment and patch management processes. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Affected vendors
Related vulnerabilities
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10006HIGHChrome WebAudio Race Condition Remote Code Execution
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10009HIGHChrome Skia Integer Overflow Sandbox Escape – Patch Guidance
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment