CVE-2026-46320 Overview
CVE-2026-46320 is a memory leak vulnerability in the Linux kernel's tap driver, specifically in the tap_get_user_xdp() function. The function rejects frames shorter than ETH_HLEN with -EINVAL and returns -ENOMEM when build_skb() fails. Both error paths jump to the err label without freeing the page that vhost_net_build_xdp() allocated for the frame. Because tap_sendmsg() discards the per-buffer return value and always returns 0, vhost_tx_batch() takes the success path and never frees the page. Each rejected frame in a batch leaks one page-frag chunk.
Critical Impact
Repeated submission of malformed frames through a tap device backed by vhost-net leaks kernel memory, leading to resource exhaustion over time.
Affected Products
- Linux kernel tap driver with XDP support via vhost-net
- Stable kernel branches receiving the referenced backport commits
- Virtualization hosts using tap interfaces for guest networking
Discovery Timeline
- 2026-06-09 - CVE-2026-46320 published to NVD
- 2026-06-09 - Last updated in NVD database
Technical Details for CVE-2026-46320
Vulnerability Analysis
The defect resides in tap_get_user_xdp(), which processes XDP (eXpress Data Path) frames submitted from userspace through vhost-net. The caller, vhost_net_build_xdp(), allocates a page-frag chunk to hold the frame before invoking the tap layer. When tap_get_user_xdp() encounters a malformed or unbuildable frame, it transfers control to the err label without releasing that page.
Compounding the leak, tap_sendmsg() collapses the per-buffer error code into a unified return value of 0. The batching layer vhost_tx_batch() interprets this as success and skips its own cleanup path. Every rejected frame in a transmit batch therefore strands one page-frag allocation in the kernel slab. This is the tap counterpart of an equivalent leak previously fixed in tun_xdp_one().
Root Cause
The root cause is missing resource cleanup on error paths [CWE-401]. The two error exits — frame shorter than ETH_HLEN returning -EINVAL, and build_skb() failure returning -ENOMEM — both bypass the page release before the skb is constructed. Ownership of the allocated page was implicitly expected to transfer to the skb, so neither caller nor callee frees it on the rejection path.
Attack Vector
Exploitation requires local access to a tap device, typically available to virtualization stacks running QEMU/KVM with vhost-net acceleration. A guest or local process able to submit crafted frames through the tap socket can repeatedly trigger the error paths. Each rejected frame consumes a page-frag chunk, gradually exhausting kernel memory and degrading host stability.
The vulnerability does not provide code execution or information disclosure. The impact is confined to denial of service through progressive memory exhaustion on the host.
Detection Methods for CVE-2026-46320
Indicators of Compromise
- Sustained growth in kernel slab/page-frag memory attributable to network paths without corresponding traffic volume
- Elevated rates of short or malformed frames observed on tap interfaces backing virtual machines
- dmesg warnings or OOM events on virtualization hosts running guests with high packet-rejection rates
Detection Strategies
- Monitor /proc/meminfo and /proc/slabinfo for steady increases in unreclaimable kernel allocations on hosts using vhost-net
- Audit running kernel versions against the patch commits 18a84c35842e and 3bcf7aec6a9d to identify unpatched hosts
- Correlate guest network behavior with host memory pressure using telemetry from virtualization platforms
Monitoring Recommendations
- Track per-interface drop counters on tap devices using ethtool -S and ip -s link
- Alert on hosts where kernel memory consumption trends upward while userspace usage remains flat
- Centralize host kernel telemetry to identify systematic patterns across the virtualization fleet
How to Mitigate CVE-2026-46320
Immediate Actions Required
- Identify Linux hosts running vhost-net with tap interfaces and inventory their kernel versions
- Schedule kernel updates to the stable release containing commits 18a84c35842e and 3bcf7aec6a9d
- Restrict access to tap devices and /dev/vhost-net to trusted virtualization processes only
Patch Information
The fix frees the allocated page on both error paths in tap_get_user_xdp() before the skb is built. The corrective changes are available in the upstream Linux kernel tree via the Kernel Git Commit 18a84c3 and the Kernel Git Commit 3bcf7ae. Apply the vendor-provided kernel update for your distribution.
Workarounds
- Disable XDP acceleration on tap interfaces where it is not strictly required
- Reduce reliance on vhost-net batching for workloads that cannot be promptly patched
- Enforce strict frame validation upstream of the tap interface to minimize rejected frames reaching the kernel
# Verify running kernel and confirm patch presence
uname -r
# Check distribution advisories for the fixed package version, then update
# Example (Debian/Ubuntu):
sudo apt update && sudo apt upgrade linux-image-$(uname -r | sed 's/.*-//')
# Example (RHEL/Fedora):
sudo dnf update kernel
# Reboot to activate the patched kernel
sudo reboot
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
