In the Linux kernel, the following vulnerability has been resolved: tap: free page on error paths in tap_get_user_xdp() tap_get_user_xdp() rejects a frame shorter than ETH_HLEN with -EINVAL, and returns -ENOMEM when build_skb() fails. Both paths jump to the err label without freeing the page that vhost_net_build_xdp() allocated for the frame. tap_sendmsg() discards the per-buffer return value and always returns 0, so vhost_tx_batch() takes the success path and never frees the page; each rejected frame in a batch leaks one page-frag chunk. Free the page on both error paths, before the skb is built. This is the tap counterpart of the same leak in tun_xdp_one().

A flaw was found in the Linux kernel's tap driver. This vulnerability occurs in the `tap_get_user_xdp()` function, where allocated memory pages are not properly freed when processing rejected network frames. Specifically, if a frame is shorter than the expected Ethernet header length or if memory allocation fails, the error handling paths do not release the previously allocated page. This oversight can lead to a memory leak, as each rejected frame in a batch can cause one page-frag chunk to be leaked, potentially impacting system stability and performance over time.

Red Hat Enterprise Linux 10 Fix deferred kernel Red Hat Enterprise Linux 6 Not affected kernel Red Hat Enterprise Linux 7 Not affected kernel Red Hat Enterprise Linux 7 Not affected kernel-rt Red Hat Enterprise Linux 8 Fix deferred kernel Red Hat Enterprise Linux 8 Fix deferred kernel-rt Red Hat Enterprise Linux 9 Fix deferred kernel Red Hat Enterprise Linux 9 Fix deferred kernel-rt https://www.cve.org/CVERecord?id=CVE-2026-46320 https://nvd.nist.gov/vuln/detail/CVE-2026-46320 https://lore.kernel.org/linux-cve-announce/2026060925-CVE-2026-46320-71d9@gregkh/T