CVE-2026-46321

In the Linux kernel, the following vulnerability has been resolved:

tun: free page on short-frame rejection in tun xdp one()

tun xdp one() returns -EINVAL on a frame shorter than ETH HLEN without freeing the page that vhost net build xdp() allocated for it. tun sendmsg() discards that -EINVAL and still returns total len, so vhost tx batch() takes the success path and never frees the page; each short frame in a batch leaks one page-frag chunk.

A local process that can open /dev/net/tun and /dev/vhost-net can hit this path: it attaches a tun/tap device as the vhost-net backend and feeds TX descriptors whose length minus the virtio-net header is below ETH HLEN. Each kick leaks the page-frag chunks for that batch, and a tight submission loop exhausts host memory and triggers an OOM panic. Free the page before returning -EINVAL, matching the XDP-program error path in the same function.