CVE-2026-46321 Overview
CVE-2026-46321 is a memory leak vulnerability in the Linux kernel's tun driver, specifically in the tun_xdp_one() function. The function returns -EINVAL when it encounters a frame shorter than ETH_HLEN, but fails to free the page that vhost_net_build_xdp() previously allocated. A local process with access to /dev/net/tun and /dev/vhost-net can submit crafted TX descriptors to leak page-frag chunks on each kick. A tight submission loop exhausts host memory and triggers an out-of-memory (OOM) panic, resulting in denial of service on the affected host.
Critical Impact
A local attacker with access to /dev/net/tun and /dev/vhost-net can exhaust host memory and trigger an OOM panic, denying service to all tenants on the affected Linux host.
Affected Products
- Linux kernel versions containing the vulnerable tun_xdp_one() short-frame error path
- Hosts exposing /dev/net/tun and /dev/vhost-net to unprivileged or semi-privileged processes
- Virtualization hosts using vhost-net with tun/tap backends (including KVM/QEMU environments)
Discovery Timeline
- 2026-06-09 - CVE-2026-46321 published to the National Vulnerability Database (NVD)
- 2026-06-09 - Last updated in NVD database
Technical Details for CVE-2026-46321
Vulnerability Analysis
The flaw resides in the tun_xdp_one() function within the Linux kernel tun driver. When vhost_net_build_xdp() prepares a frame for transmission, it allocates a page-frag chunk to hold the data. The receiving function tun_xdp_one() validates the frame length against ETH_HLEN (the minimum Ethernet header length). If validation fails, the function returns -EINVAL without releasing the previously allocated page.
The error is compounded by callers that discard the return code. tun_sendmsg() drops the -EINVAL and still returns total_len, so vhost_tx_batch() follows the success path and never frees the page. Each short frame in a batch leaks one page-frag chunk. This classifies as a memory leak [CWE-401] in a privileged kernel subsystem reachable from user space.
Root Cause
The root cause is missing cleanup on the short-frame rejection path inside tun_xdp_one(). The XDP-program error path in the same function correctly frees the page, but the ETH_HLEN length check does not. This inconsistency means valid error handling exists in one branch while the other leaks resources on every failed validation.
Attack Vector
A local process opens /dev/net/tun and /dev/vhost-net, attaches a tun/tap device as the vhost-net backend, and submits TX descriptors whose payload length minus the virtio-net header is below ETH_HLEN. Each kick leaks the page-frag chunks for that batch. Sustained submission depletes kernel memory until the OOM killer fires or the host panics. The attack requires local access and the ability to interact with the vhost-net interface, which is typically restricted to virtualization-related users or containers granted those device nodes.
The upstream fix frees the page before returning -EINVAL, aligning the short-frame error path with the existing XDP-program error path in the same function. See the kernel commit for the corrected logic.
Detection Methods for CVE-2026-46321
Indicators of Compromise
- Sustained, unexplained growth of kernel page-frag allocations on hosts running vhost-net
- OOM killer events or kernel panic traces referencing tun_xdp_one, tun_sendmsg, or vhost_tx_batch
- Processes repeatedly opening /dev/vhost-net and /dev/net/tun outside expected virtualization workflows
- Unusual TX descriptor submission patterns from non-hypervisor user-space processes
Detection Strategies
- Monitor /proc/meminfo and slab statistics for abnormal kernel memory consumption correlated with vhost-net activity
- Audit open() syscalls against /dev/net/tun and /dev/vhost-net using auditd or eBPF tracing
- Inspect kernel logs (dmesg) for OOM panics or warnings originating from the tun driver stack
- Track per-process page-frag accounting to identify outliers driving kernel memory growth
Monitoring Recommendations
- Alert on sudden kernel memory pressure on hypervisor hosts that lack a corresponding workload change
- Baseline normal vhost-net ioctl frequency and flag processes that exceed it
- Collect kernel crash dumps to confirm whether OOM events trace back to tun/vhost code paths
How to Mitigate CVE-2026-46321
Immediate Actions Required
- Apply the upstream stable-tree patch that frees the page on the short-frame rejection path in tun_xdp_one()
- Restrict access to /dev/net/tun and /dev/vhost-net to trusted virtualization users and service accounts only
- Review container and VM tenant configurations to confirm these device nodes are not exposed unnecessarily
- Enable kernel OOM and crash telemetry so memory exhaustion events trigger investigation
Patch Information
The fix is available in the upstream Linux stable tree. Refer to the following commits for the corrected error-handling path in tun_xdp_one():
- Kernel commit 37a1c268c2c8
- Kernel commit 69863ff2720a
- Kernel commit 98c67be9eb9d
- Kernel commit f4feb1e20058
Distribution-provided backports should be installed once available from the respective vendor channels.
Workarounds
- Remove read/write permissions on /dev/net/tun and /dev/vhost-net for non-virtualization users until the patch is applied
- Disable vhost-net acceleration where it is not required, forcing traffic through the standard tun/tap path
- Use Linux namespaces and seccomp to block the affected ioctls for untrusted workloads
# Configuration example: restrict vhost-net device access to a dedicated group
sudo groupadd -r vhostnet
sudo chown root:vhostnet /dev/vhost-net /dev/net/tun
sudo chmod 0660 /dev/vhost-net /dev/net/tun
# Add only trusted virtualization service accounts
sudo usermod -aG vhostnet qemu
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
