CVE-2026-52940
MediumCVSS 5.5Exploitation Probability (EPSS)
Low risk2th percentile - higher than 2% of all known CVEs
Summary
In the Linux kernel, the tun_put_user() function declares an on-stack struct virtio_net_hdr_v1_hash_tunnel without zeroing it. For non-tunnel packets, only the first 10 bytes are initialized, leaving bytes 10..23 as stack garbage. An unprivileged user can set the vnet header size to 24 bytes, causing 14 bytes of kernel stack data to be leaked to userspace on every read of a non-tunnel packet.
Risk Assessment
The organization is at risk of leaking sensitive kernel data (e.g., keys, passwords, fragments of other processes) to userspace, which could enable privilege escalation or information theft.
Recommendation
Immediately apply the security patch for the Linux kernel that zeros the entire virtio_net_hdr_v1_hash_tunnel structure in tun_put_user(). Update the system to a kernel version containing the fix.
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: tun: zero the whole vnet header in tun_put_user() tun_put_user() declares an on-stack struct virtio_net_hdr_v1_hash_tunnel without zeroing it. For a non-tunnel skb, virtio_net_hdr_tnl_from_skb() only initializes the first 10 bytes (sizeof(struct virtio_net_hdr)), leaving bytes 10..23 (num_buffers and the hash/tunnel fields) as stack garbage. An unprivileged user can set the vnet header size to 24 with TUNSETVNETHDRSZ, so __tun_vnet_hdr_put() copies all 24 bytes of the partially-initialized struct to userspace, leaking 14 bytes of kernel stack on every read of a non-tunnel packet. Fix it the same way tun_get_user() already does by zeroing the whole header right after declaration.

