Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to vulnerabilities
High

Linux kernel tap_get_user_xdp() page-frag memory leak

IdentifiersCVE-2026-46320CWE-401

CVE-2026-46320 is a Linux kernel memory management flaw in the TAP/XDP transmit path, specifically in tap_get_user_xdp(). The function can reject frames shorter than ETH_HLEN with -EINVAL and can also fail with -ENOMEM when build_skb() returns an error. In the vulnerable implementation, both error paths jump to a common err label without freeing the page previously allocated by vhost_net_build_xdp() for the frame. Because tap_sendmsg() ignores the per-buffer return value and always returns 0, vhost_tx_batch() follows the success path and does not release the page either. As a result, each rejected frame in a batch leaks one page-frag chunk. The fix is to free the allocated page on both affected error paths before skb construction. This issue is described as the TAP-side counterpart of a similar leak previously identified in tun_xdp_one().

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation causes a kernel memory leak in the TAP/XDP path. An attacker or untrusted local workload capable of repeatedly triggering the affected error conditions can consume kernel memory over time, leading to resource exhaustion, degraded performance, and potentially denial of service or reduced system stability. The provided content does not establish reliable direct code execution from this flaw alone.

Mitigation

If you can’t patch tonight, do this now.

No specific workaround is provided in the supplied advisories. Until patched, reduce exposure by limiting access for untrusted local users, guests, containers, or workloads that can exercise the TAP/XDP transmit path, especially via vhost/TAP-backed networking. Monitor affected systems for abnormal kernel memory growth or resource exhaustion symptoms.

Remediation

Patch, then assume compromise.

Update to a Linux kernel release containing the fix for CVE-2026-46320. The patch frees the page allocated by vhost_net_build_xdp() on both affected error paths in tap_get_user_xdp() before build_skb() processing continues. For Debian stable (trixie), upgrade the linux package to version 6.12.94-1 or later fixed version provided by Debian.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
LinuxLinux Kerneloperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

14 sources tracked across advisories and community write-ups. News coverage will land here when it surfaces.

14 SOURCESView more in app

No news coverage yet. Advisories and community discussion only.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity13

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-46320
NVD
nvd.nist.gov/vuln/detail/CVE-2026-46320
MITRE CWE · CWE-401
cwe.mitre.org
git.kernel.org
git.kernel.org/stable/c/18a84c35842e19cd3c5534d8cee73d31863f696d
git.kernel.org
git.kernel.org/stable/c/3bcf7aec6a9d16438f2cec29f5d7c8d5b8edf9b2