Linux Kernel Vulnerability in TUN Interface Affecting User Privileges
CVE-2026-52940

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 24 June 2026

What is CVE-2026-52940?

A vulnerability in the Linux kernel's TUN interface allows unprivileged users to access uninitialized memory. Specifically, the function tun_put_user() fails to zero the entire vnet header structure, leading to the potential leakage of sensitive kernel stack data when reading non-tunnel packets. The issue primarily stems from inadequately initializing certain fields, which then expose stack memory to user space. The vulnerability is addressed by ensuring that the entire header is properly zeroed upon declaration, similar to existing safeguards in related functions.

Affected Version(s)

Linux 288f30435132d2f9e7a29ec9b9745a4f9dc7fd37 < 5fd1fa5a4254bfdd70571c77f5e3bcb4e43738d5

Linux 288f30435132d2f9e7a29ec9b9745a4f9dc7fd37 < 585cb85e9a29185be05f326369573c2663cf4380

Linux 288f30435132d2f9e7a29ec9b9745a4f9dc7fd37 < 7f2fcff15e99bb852f6967396ed12b38376e2c8d

References

https://git.kernel.org/stable/c/5fd1fa5a4254bfdd70571c77f...

https://git.kernel.org/stable/c/585cb85e9a29185be05f32636...

https://git.kernel.org/stable/c/7f2fcff15e99bb852f6967396...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 24, 2026
Vulnerability Reserved
Jun 9, 2026

CVE-2026-52940 Data

JSON