GHSA-xqcf-gwj9-5c88HighCVSS 7.4

In the Linux kernel, the following vulnerability has been resolved: tap: free page on error...

Published
June 9, 2026
Last Modified
June 14, 2026

🔗 CVE IDs covered (1)

📋 Description

In the Linux kernel, the following vulnerability has been resolved:

tap: free page on error paths in tap_get_user_xdp()

tap_get_user_xdp() rejects a frame shorter than ETH_HLEN with -EINVAL, and returns -ENOMEM when build_skb() fails. Both paths jump to the err label without freeing the page that vhost_net_build_xdp() allocated for the frame. tap_sendmsg() discards the per-buffer return value and always returns 0, so vhost_tx_batch() takes the success path and never frees the page; each rejected frame in a batch leaks one page-frag chunk.

Free the page on both error paths, before the skb is built. This is the tap counterpart of the same leak in tun_xdp_one().

🔗 References (4)