CVE-2026-46322 Overview
CVE-2026-46322 is a memory leak vulnerability in the Linux kernel's TUN driver, specifically within the tun_xdp_one() function. When build_skb() fails during XDP frame processing, the function sets ret to -ENOMEM and jumps to the out label without freeing the page that vhost_net_build_xdp() previously allocated for the frame.
The error is then discarded by tun_sendmsg(), which still returns total_len. This causes vhost_tx_batch() to take the success path and never release the page. Each build_skb() failure in a batch leaks one page-frag chunk, gradually exhausting kernel memory under sustained allocation pressure.
Critical Impact
Sustained memory leaks in the TUN/vhost-net path can lead to kernel memory exhaustion and denial of service on hosts running virtualized networking workloads.
Affected Products
- Linux kernel TUN driver (drivers/net/tun.c)
- vhost-net subsystem integration with TUN XDP path
- Linux kernel stable branches addressed by commits 4fefc61, aa308e9, aa8963f, and d16e38f
Discovery Timeline
- 2026-06-09 - CVE-2026-46322 published to NVD
- 2026-06-09 - Last updated in NVD database
Technical Details for CVE-2026-46322
Vulnerability Analysis
The vulnerability resides in the TUN driver's XDP fast path, used when virtio/vhost-net delivers packets through the AF_PACKET-style sendmsg interface. The vhost_net_build_xdp() function allocates a page-frag chunk to hold each frame before passing it to tun_xdp_one() for skb construction.
When build_skb() returns NULL due to memory pressure, the existing error path stores -ENOMEM in ret and branches to the out label. Unlike the short-frame rejection path and other error exits in the same function, this branch never calls put_page() on the allocated frame buffer. The page reference is silently dropped from tracking while the underlying memory remains pinned.
Root Cause
The root cause is an incomplete error-handling path [CWE-401: Missing Release of Memory after Effective Lifetime]. The build_skb() failure branch in tun_xdp_one() omits the put_page() call that peer error exits perform. Compounding the issue, tun_sendmsg() collapses per-buffer error codes and returns total_len regardless, so vhost_tx_batch() cannot detect the partial failure and clean up. The result is a guaranteed leak of one page-frag per failed allocation.
Attack Vector
Exploitation requires local conditions that trigger build_skb() failures in the TUN XDP path, typically sustained memory pressure on a host running vhost-net with XDP-enabled guests. A guest or local workload generating high packet throughput while the host is under memory pressure will accelerate leak accumulation. Over time, leaked pages reduce available kernel memory, degrading host performance and potentially leading to a denial-of-service condition for co-located workloads.
The vulnerability is described as a resource leak rather than a memory-safety corruption. There is no direct code execution primitive, but it is reachable from any context that can drive packets through a TUN device backed by vhost-net.
No verified exploit code is available. The fix is published in the upstream Linux kernel commits referenced below.
Detection Methods for CVE-2026-46322
Indicators of Compromise
- Steady growth in kernel slab and page-frag accounting on hosts running vhost-net with no corresponding workload increase
- Repeated -ENOMEM returns from build_skb() visible via kernel tracing on the tun_xdp_one path
- Gradual reduction in MemAvailable reported by /proc/meminfo on virtualization hosts
- OOM killer activity targeting guest VM processes or vhost worker threads despite stable advertised workload
Detection Strategies
- Audit running kernel versions across virtualization hosts and compare against the stable commits 4fefc61, aa308e9, aa8963f, and d16e38f
- Instrument tun_xdp_one and build_skb with bpftrace or perf to count failure events and correlate with page allocation
- Monitor /proc/meminfo, /proc/slabinfo, and node_memory_* Prometheus metrics for unexplained downward trends
Monitoring Recommendations
- Forward kernel logs and resource telemetry from hypervisor hosts into a centralized data lake for longitudinal analysis
- Alert on sustained increases in unaccounted kernel memory on hosts using vhost-net XDP
- Track kernel package versions in configuration management to confirm patch deployment
How to Mitigate CVE-2026-46322
Immediate Actions Required
- Identify Linux hosts running vhost-net with TUN XDP and prioritize them for kernel updates
- Apply the upstream stable kernel patches that add the missing put_page() call before the error return in tun_xdp_one()
- Restart affected hosts or reload the tun module after patching to ensure the corrected code path is loaded
Patch Information
The fix frees the page before taking the error path in tun_xdp_one(), matching the put_page() behavior of the other error exits. The patch is available in the following upstream commits:
- Kernel Git Commit 4fefc61
- Kernel Git Commit aa308e9
- Kernel Git Commit aa8963f
- Kernel Git Commit d16e38f
Workarounds
- Disable XDP on TUN/vhost-net interfaces where feasible until the kernel patch is applied
- Provision additional host memory headroom to reduce the likelihood of build_skb() allocation failures
- Schedule periodic reboots of affected hypervisor hosts to reclaim leaked pages until patching is complete
# Verify running kernel and confirm patch inclusion
uname -r
zgrep -i 'tun_xdp_one' /proc/kallsyms
# Identify hosts where vhost-net XDP is in use
lsmod | grep -E 'tun|vhost_net'
ip -details link show | grep -A2 tun
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
