Linux kernel tap_get_user_xdp Page Leak in TCP Tap (CVE-2026-46320)
CVE-2026-46320 Published on June 9, 2026
tap: free page on error paths in tap_get_user_xdp()
In the Linux kernel, the following vulnerability has been resolved:
tap: free page on error paths in tap_get_user_xdp()
tap_get_user_xdp() rejects a frame shorter than ETH_HLEN with -EINVAL,
and returns -ENOMEM when build_skb() fails. Both paths jump to the err
label without freeing the page that vhost_net_build_xdp() allocated for
the frame. tap_sendmsg() discards the per-buffer return value and always
returns 0, so vhost_tx_batch() takes the success path and never frees
the page; each rejected frame in a batch leaks one page-frag chunk.
Free the page on both error paths, before the skb is built. This is the
tap counterpart of the same leak in tun_xdp_one().
Products Associated with CVE-2026-46320
Want to know whenever a new CVE is published for Linux Kernel? stack.watch will email you.
Affected Versions
Linux:- Version 0efac27791ee068075d80f07c55a229b1335ce12 and below 18a84c35842e19cd3c5534d8cee73d31863f696d is affected.
- Version 0efac27791ee068075d80f07c55a229b1335ce12 and below 3bcf7aec6a9d16438f2cec29f5d7c8d5b8edf9b2 is affected.
- Version 4.20 is affected.
- Before 4.20 is unaffected.
- Version 7.0.12, <= 7.0.* is unaffected.
- Version 7.1-rc6, <= * is unaffected.