CVE-2026-52940

In the Linux kernel, the following vulnerability has been resolved:

tun: zero the whole vnet header in tun put user()

tun put user() declares an on-stack struct virtio net hdr v1 hash tunnel without zeroing it. For a non-tunnel skb, virtio net hdr tnl from skb() only initializes the first 10 bytes (sizeof(struct virtio net hdr)), leaving bytes 10..23 (num buffers and the hash/tunnel fields) as stack garbage.

An unprivileged user can set the vnet header size to 24 with TUNSETVNETHDRSZ, so tun vnet hdr put() copies all 24 bytes of the partially-initialized struct to userspace, leaking 14 bytes of kernel stack on every read of a non-tunnel packet.

Fix it the same way tun get user() already does by zeroing the whole header right after declaration.