CVE Catalog

CVE-2026-52940

MediumCVSS 5.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.11%

2th percentile - higher than 2% of all known CVEs

Summary

In the Linux kernel, the tun_put_user() function declares an on-stack struct virtio_net_hdr_v1_hash_tunnel without zeroing it. For non-tunnel packets, only the first 10 bytes are initialized, leaving bytes 10..23 as stack garbage. An unprivileged user can set the vnet header size to 24 bytes, causing 14 bytes of kernel stack data to be leaked to userspace on every read of a non-tunnel packet.

Risk Assessment

The organization is at risk of leaking sensitive kernel data (e.g., keys, passwords, fragments of other processes) to userspace, which could enable privilege escalation or information theft.

Recommendation

Immediately apply the security patch for the Linux kernel that zeros the entire virtio_net_hdr_v1_hash_tunnel structure in tun_put_user(). Update the system to a kernel version containing the fix.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: tun: zero the whole vnet header in tun_put_user() tun_put_user() declares an on-stack struct virtio_net_hdr_v1_hash_tunnel without zeroing it. For a non-tunnel skb, virtio_net_hdr_tnl_from_skb() only initializes the first 10 bytes (sizeof(struct virtio_net_hdr)), leaving bytes 10..23 (num_buffers and the hash/tunnel fields) as stack garbage. An unprivileged user can set the vnet header size to 24 with TUNSETVNETHDRSZ, so __tun_vnet_hdr_put() copies all 24 bytes of the partially-initialized struct to userspace, leaking 14 bytes of kernel stack on every read of a non-tunnel packet. Fix it the same way tun_get_user() already does by zeroing the whole header right after declaration.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS