Listen to this Post
Intro
CVE-2026-46153 is a memory leak vulnerability in the Linux kernel’s 8021q (VLAN) module, specifically within the `vlan_dev_set_egress_priority()` function. This function is responsible for managing egress Quality of Service (QoS) priority mappings for VLAN devices. The core of the issue lies in how the function handles the clearing of these mappings. Instead of completely deleting the mapping entries, the vulnerable code incorrectly retains them in the hash table as placeholder markers, often referred to as “tombstones.”
An attacker with local access to the system can exploit this flaw by performing repeated cycles of setting and clearing egress priority mappings, each time using distinct socket buffer (skb) priorities. On a vulnerable kernel, each of these cycles allocates a new mapping node (vlan_priority_tci_mapping object) that is never freed. The leaked nodes accumulate in memory until the associated VLAN device is eventually torn down, which might not occur for an extended period or ever on a long-running system.
The continuous allocation of these objects leads to uncontrolled memory consumption, causing the system’s memory to be exhausted gradually. Once memory resources are depleted, the operating system can become unresponsive, experience severe performance degradation, or crash entirely, resulting in a local Denial of Service (DoS) condition. This vulnerability is particularly insidious as it can be triggered by any local process with the capability to modify egress QoS settings, making it a potent local resource exhaustion vector.
The root cause analysis further reveals that the egress mapping lists are RCU-protected. While this allows for safe concurrent access, the implementation for clearing maps failed to safely unlink and free the nodes via a grace period. The patch resolves this by ensuring that when a priority is cleared, the corresponding mapping node is properly deleted and its memory is released after a grace period, eliminating the leak.
DailyCVE Form
Platform: Linux Kernel
Version: Before 7.0.7
Vulnerability : Memory Leak
Severity: Medium
date: 2026-05-28
Prediction: 2026-07-15
What Undercode Say:
Simulate the vulnerability by repeatedly setting and clearing egress QoS priorities
This will leak memory on vulnerable kernels (versions < 7.0.7)
Set a priority mapping for VLAN device (e.g., eth0.100)
for i in {1..100000}; do
Set an egress priority mapping for skb priority $i
ip link set dev eth0.100 type vlan egress-qos-map $i:1
Clear the mapping for the same skb priority
ip link set dev eth0.100 type vlan egress-qos-map $i:0
done
After this loop, memory usage will have increased due to leaked mapping nodes.
Monitor memory usage with:
watch -n 1 'grep "KernelStack|Slab|PageTables" /proc/meminfo'
How Exploit:
- Local Access: Gain local unprivileged access to the target system.
- Craft Payload: Create a loop to generate distinct `skb` priorities. For each iteration:
Set a new egress priority mapping for the VLAN device.
Immediately clear that specific mapping.
- Execute: Run the crafted payload, causing the `vlan_dev_set_egress_priority()` function to repeatedly allocate `vlan_priority_tci_mapping` nodes without freeing them.
- Exhaust Memory: The continuous allocation of nodes consumes kernel memory (slab memory), eventually leading to a system-wide memory exhaustion.
- Result: The system becomes unresponsive, crashes, or enters a Denial of Service (DoS) state.
Protection:
Apply Kernel Patch: Update the Linux kernel to version 7.0.7 or later, which includes the security fix.
Disable VLAN QoS: If patching is not immediately possible, disable or restrict the use of egress QoS priority changes on VLAN interfaces to prevent the accumulation of leaked nodes.
Monitor Memory: Implement monitoring for abnormal growth of kernel slab memory, which can indicate exploitation attempts.
Impact
The vulnerability can lead to a local Denial of Service (DoS) through memory exhaustion. An attacker with the ability to execute VLAN configuration commands (a low-privilege requirement) can consume all available system memory, causing the OS to hang or crash. The official CVSS 3.1 vector from Red Hat is: AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, resulting in a Medium severity rating.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
