tap: free page on error paths in tap_get_user_xdp()
CVE-2026-46320

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 9 June 2026

What is CVE-2026-46320?

In the Linux kernel, the following vulnerability has been resolved:

tap: free page on error paths in tap_get_user_xdp()

tap_get_user_xdp() rejects a frame shorter than ETH_HLEN with -EINVAL, and returns -ENOMEM when build_skb() fails. Both paths jump to the err label without freeing the page that vhost_net_build_xdp() allocated for the frame. tap_sendmsg() discards the per-buffer return value and always returns 0, so vhost_tx_batch() takes the success path and never frees the page; each rejected frame in a batch leaks one page-frag chunk.

Free the page on both error paths, before the skb is built. This is the tap counterpart of the same leak in tun_xdp_one().

Affected Version(s)

Linux 0efac27791ee068075d80f07c55a229b1335ce12 < 18a84c35842e19cd3c5534d8cee73d31863f696d

Linux 0efac27791ee068075d80f07c55a229b1335ce12 < 3bcf7aec6a9d16438f2cec29f5d7c8d5b8edf9b2

Linux 4.20

References

https://git.kernel.org/stable/c/18a84c35842e19cd3c5534d8c...

https://git.kernel.org/stable/c/3bcf7aec6a9d16438f2cec29f...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 9, 2026
Vulnerability Reserved
May 13, 2026

CVE-2026-46320 Data

JSON