CVE-2026-46321
In the Linux kernel, the following vulnerability has been resolved: tun: free page on short-frame rejection in tun_xdp_one() tun_xdp_one() returns -EINVAL on a frame shorter than ETH_HLEN without freeing the page that vhost_net_build_xdp() allocated for it. tun_sendmsg() discards that -EINVAL and still returns total_len, so vhost_tx_batch() takes the success path and never frees the page; each short frame in a batch leaks one page-frag chunk. A local process that can open /dev/net/tun and /dev/vhost-net can hit this path: it attaches a tun/tap device as the vhost-net backend and feeds TX descriptors whose length minus the virtio-net header is below ETH_HLEN. Each kick leaks the page-frag chunks for that batch, and a tight submission loop exhausts host memory and triggers an OOM panic. Free the page before returning -EINVAL, matching the XDP-program error path in the same function.
Affected versions
Linux kernel versions
5.4.281,
5.10.223,
5.15.164,
6.1.102,
6.6.43,
6.9.12,
6.10.2,
6.11
and later are affected. Fixed in
6.12.93,
6.18.35,
7.0.12,
7.1-rc6
and their respective stable series.
References
4 totalFrequently asked questions
-
What is CVE-2026-46321?
CVE-2026-46321 is a unscored severity Linux kernel vulnerability . It affects Linux kernel versions from 5.4.281 onward and has been patched in 6.12.93, 6.18.35, 7.0.12 and others. CVE-2026-46321 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
-
Is there a patch available for CVE-2026-46321?
Yes — CVE-2026-46321 has been patched. Fixed versions include 6.12.93, 6.18.35, 7.0.12 and others. If you are running Linux kernel 5.4.281 or later up to the fix versions, apply the relevant patch for your kernel branch.
-
Is CVE-2026-46321 actively exploited?
No — CVE-2026-46321 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.