CVE-2026-52981

In the Linux kernel, the following vulnerability has been resolved:

neigh: let neigh xmit take skb ownership

neigh xmit always releases the skb, except when no neighbour table is found. But even the first added user of neigh xmit (mpls) relied on neigh xmit to release the skb (or queue it for tx).

sashiko reported: If neigh xmit() is called with an uninitialized neighbor table (for example, NEIGH ND TABLE when IPv6 is disabled), it returns -EAFNOSUPPORT and bypasses its internal out kfree skb error path. Because the return value of neigh xmit() is ignored here, does this leak the SKB?

Assume full ownership and remove the last code path that doesn't xmit or free skb.