CVE-2026-46321: Linux Kernel TUN Driver Memory Leak - Local DoS Vulnerability
A memory leak vulnerability exists in the Linux kernel's TUN device driver. When a frame shorter than the Ethernet header minimum is rejected, the kernel fails to release allocated memory pages. An attacker with local access to /dev/net/tun and /dev/vhost-net can exploit this by repeatedly sending undersized frames through a vhost-net backend, exhausting system memory and potentially causing the host to crash.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.1 HIGH · CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
- Weaknesses (CWE)
- —
- Affected products
- 6 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-07-08
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: tun: free page on short-frame rejection in tun_xdp_one() tun_xdp_one() returns -EINVAL on a frame shorter than ETH_HLEN without freeing the page that vhost_net_build_xdp() allocated for it. tun_sendmsg() discards that -EINVAL and still returns total_len, so vhost_tx_batch() takes the success path and never frees the page; each short frame in a batch leaks one page-frag chunk. A local process that can open /dev/net/tun and /dev/vhost-net can hit this path: it attaches a tun/tap device as the vhost-net backend and feeds TX descriptors whose length minus the virtio-net header is below ETH_HLEN. Each kick leaks the page-frag chunks for that batch, and a tight submission loop exhausts host memory and triggers an OOM panic. Free the page before returning -EINVAL, matching the XDP-program error path in the same function.
8 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-46321 is a use-after-free / memory leak in tun_xdp_one() within the TUN driver. The function validates incoming frames against ETH_HLEN (14 bytes, the Ethernet header length) and rejects frames below this threshold with -EINVAL. However, it fails to free the page fragment that vhost_net_build_xdp() allocated prior to validation. Because tun_sendmsg() masks the error and returns total_len to indicate success, the caller (vhost_tx_batch()) never executes its cleanup path. Repeated kicks with short frames leak one page-frag chunk per frame, exhausting the kernel's page allocator and triggering OOM.
Business impact
This vulnerability enables local denial of service on Linux systems running vhost-net with TUN/TAP backends. An unprivileged process can exhaust host memory without requiring elevated privileges or kernel module loading, potentially crashing shared systems and disrupting services for all tenants. Container and virtual machine environments are particularly exposed if users can access /dev/net/tun and /dev/vhost-net.
Affected systems
All Linux kernel versions containing the vulnerable tun_xdp_one() function are affected. This includes recent stable and LTS kernels. Systems enabling vhost-net for guest networking—common in KVM, QEMU, and container deployments—face active exposure. Verify your kernel version against the upstream Linux commit fixing this issue.
Exploitability
Exploitability is straightforward: an attacker needs local access (unprivileged) to open /dev/net/tun and /dev/vhost-net, attach a TUN device as a vhost-net backend, and transmit frames with lengths below ETH_HLEN (e.g., 13 bytes or fewer). A tight loop rapidly exhausts memory. No special kernel configuration, debug features, or elevated privileges are required. The attack is reliable and deterministic.
Remediation
Apply a kernel update that includes the fix for tun_xdp_one(). The patch adds a page-freeing call before the -EINVAL return path, ensuring symmetric cleanup. Verify against the upstream Linux kernel mailing list and your distribution's advisory for the exact patched version. Interim mitigation: restrict unprivileged access to /dev/net/tun and /dev/vhost-net using AppArmor, SELinux, or device permission controls.
Patch guidance
Consult your Linux distribution's security advisory for the patched kernel version addressing CVE-2026-46321. Upstream kernels include the fix; verify the commit hash resolving the tun_xdp_one() memory leak. For production deployments, test the patched kernel in a staging environment before rolling out to validate stability and performance. Consider prioritizing updates for systems running vhost-net backends or exposed to untrusted local users.
Detection guidance
Monitor kernel memory pressure via /proc/meminfo and PSI metrics (Pressure Stall Information) for unexpected page-allocator exhaustion on systems with vhost-net active. Enable audit logging for /dev/net/tun and /dev/vhost-net access to identify unprivileged processes attempting to open these devices. Kernel logs may show page allocation failures or OOM killer invocations. Correlate memory pressure spikes with repeated vhost-net kicks or TUN device resets in guest TX batches.
Why prioritize this
This vulnerability merits rapid patching due to its low barrier to exploitation (local access only, no elevated privileges), high impact (system-wide denial of service and potential crash), and likely prevalence in virtualized and containerized environments. The attack vector is straightforward and deterministic, making it attractive for both accidental resource exhaustion and intentional sabotage in multi-tenant scenarios.
Risk score, explained
CVSS 3.1 score of 7.1 (HIGH) reflects a local attack vector (AV:L), no special conditions (AC:L), no privilege requirement (PR:N), no user interaction (UI:N), and system-wide availability impact (S:C/A:H). Confidentiality and integrity are unaffected. The score appropriately captures the severity of memory exhaustion without elevation privileges but within local access scope.
Frequently asked questions
Can an attacker trigger this vulnerability remotely over the network?
No. The attack requires direct local access to /dev/net/tun and /dev/vhost-net device files. It cannot be exploited remotely across a network. However, in cloud or container environments, any unprivileged user with device access is at risk.
Do I need elevated privileges (root) to exploit this?
No. The vulnerability requires only unprivileged (user-mode) access to /dev/net/tun and /dev/vhost-net. If these devices have permissive permissions or if the attacker is already running in a container, they can trigger the memory leak without sudo or setuid.
What is the difference between this vulnerability and a typical memory leak?
While this is technically a memory leak (page fragments not freed), the critical aspect is the rate of leakage and its deterministic nature. An attacker can exhaust system memory in seconds using a tight loop, reliably triggering OOM and crashing the host—making it an effective denial-of-service vector rather than a slow resource degradation.
Are there interim mitigations if I cannot patch immediately?
Yes. Restrict device permissions: use chmod, SELinux, or AppArmor to prevent unprivileged access to /dev/net/tun and /dev/vhost-net. Disable vhost-net if not required. Monitor memory pressure and set aggressive OOM killer policies. These do not fix the underlying bug but significantly reduce exposure.
This analysis is provided for informational purposes. The CVSS score, affected products, and technical details are sourced from official vulnerability databases and Linux upstream advisories. Verify all patch versions and availability against your distribution's security advisory before deployment. Test patches in non-production environments. The vulnerability's exploitability and impact may vary based on system configuration, kernel version, and access controls. SEC.co disclaims liability for damages resulting from reliance on this information without independent verification. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Affected vendors
Related vulnerabilities
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10006HIGHChrome WebAudio Race Condition Remote Code Execution
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10009HIGHChrome Skia Integer Overflow Sandbox Escape – Patch Guidance
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment