CVE-2026-46322

In the Linux kernel, the following vulnerability has been resolved:

tun: free page on build skb failure in tun xdp one()

When build skb() fails in tun xdp one(), the function sets ret to -ENOMEM and jumps to the out label, which returns without freeing the page that vhost net build xdp() allocated for the frame. As with the short-frame rejection path, tun sendmsg() discards the per-buffer error and still returns total len, so vhost tx batch() takes the success path and never frees the page. Each build skb() failure in a batch leaks one page-frag chunk.

Free the page before taking the error path, matching the put page() the other error exits of tun xdp one() already perform.