CVE-2026-46320

tap: free page on error paths in tap_get_user_xdp()

Assigner: Linux
Reserved: 13.05.2026 Published: 09.06.2026 Updated: 09.06.2026

In the Linux kernel, the following vulnerability has been resolved:

tap: free page on error paths in tap_get_user_xdp()

tap_get_user_xdp() rejects a frame shorter than ETH_HLEN with -EINVAL, and returns -ENOMEM when build_skb() fails. Both paths jump to the err label without freeing the page that vhost_net_build_xdp() allocated for the frame. tap_sendmsg() discards the per-buffer return value and always returns 0, so vhost_tx_batch() takes the success path and never frees the page; each rejected frame in a batch leaks one page-frag chunk.

Free the page on both error paths, before the skb is built. This is the tap counterpart of the same leak in tun_xdp_one().

Product Status

Vendor	Linux
Product	Linux
Versions	Default: unaffected affected from 0efac27791ee068075d80f07c55a229b1335ce12 to 18a84c35842e19cd3c5534d8cee73d31863f696d (excl.) affected from 0efac27791ee068075d80f07c55a229b1335ce12 to 3bcf7aec6a9d16438f2cec29f5d7c8d5b8edf9b2 (excl.)

Vendor

Linux

Product

Linux

Versions

Default: unaffected

affected from 0efac27791ee068075d80f07c55a229b1335ce12 to 18a84c35842e19cd3c5534d8cee73d31863f696d (excl.)
affected from 0efac27791ee068075d80f07c55a229b1335ce12 to 3bcf7aec6a9d16438f2cec29f5d7c8d5b8edf9b2 (excl.)

Vendor	Linux
Product	Linux
Versions	Default: affected Version 4.20 is affected unaffected from 0 to 4.20 (excl.) unaffected from 7.0.12 to 7.0.* (incl.) unaffected from 7.1-rc6 to * (incl.)

Vendor

Linux

Product

Linux

Versions

Default: affected

Version 4.20 is affected
unaffected from 0 to 4.20 (excl.)
unaffected from 7.0.12 to 7.0.* (incl.)
unaffected from 7.1-rc6 to * (incl.)

References

CVE-2026-46320 PUBLISHED

tap: free page on error paths in tap_get_user_xdp()

Product Status

References