CVE-2026-52940

UNKNOWN 0.0

tun: zero the whole vnet header in tun_put_user()

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

In the Linux kernel, the following vulnerability has been resolved: tun: zero the whole vnet header in tun_put_user() tun_put_user() declares an on-stack struct virtio_net_hdr_v1_hash_tunnel without zeroing it. For a non-tunnel skb, virtio_net_hdr_tnl_from_skb() only initializes the first 10 bytes (sizeof(struct virtio_net_hdr)), leaving bytes 10..23 (num_buffers and the hash/tunnel fields) as stack garbage. An unprivileged user can set the vnet header size to 24 with TUNSETVNETHDRSZ, so __tun_vnet_hdr_put() copies all 24 bytes of the partially-initialized struct to userspace, leaking 14 bytes of kernel stack on every read of a non-tunnel packet. Fix it the same way tun_get_user() already does by zeroing the whole header right after declaration.

Vendor	linux
Product	linux
Ecosystems	Linux Kernel
Industries	Technology
Published	Jun 24, 2026

Stay Ahead of the Next One

Get instant alerts for linux linux

Be the first to know when new unknown vulnerabilities affecting linux linux are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Linux / Linux

288f30435132d2f9e7a29ec9b9745a4f9dc7fd37 < 5fd1fa5a4254bfdd70571c77f5e3bcb4e43738d5 288f30435132d2f9e7a29ec9b9745a4f9dc7fd37 < 585cb85e9a29185be05f326369573c2663cf4380 288f30435132d2f9e7a29ec9b9745a4f9dc7fd37 < 7f2fcff15e99bb852f6967396ed12b38376e2c8d

Linux / Linux

6.17

References

NVD ↗ CVE.org ↗ EPSS Data ↗

git.kernel.org: https://git.kernel.org/stable/c/5fd1fa5a4254bfdd70571c77f5e3bcb4e43738d5 git.kernel.org: https://git.kernel.org/stable/c/585cb85e9a29185be05f326369573c2663cf4380 git.kernel.org: https://git.kernel.org/stable/c/7f2fcff15e99bb852f6967396ed12b38376e2c8d