CVE-2026-46153 Linux CVE debrief

Who should care

System administrators managing Linux hosts with VLAN configurations, particularly those using dynamic QoS policy enforcement or SDN controllers that frequently modify VLAN egress priorities. Cloud providers and hosting environments with multi-tenant VLAN isolation should prioritize patching.

Technical summary

The vulnerability resides in `net/8021q/vlan.c` in the Linux kernel's VLAN device implementation. The `vlan_dev_set_egress_priority()` function maintains a hash table (`egress_priority_map`) mapping skb priorities to VLAN priorities. When userspace clears a mapping by setting `vlan_prio` to 0, the original code converted the mapping to a tombstone (priority 0) rather than deleting the node. Since each distinct skb priority creates a unique hash entry, repeated set/clear operations with varying priorities cause unbounded growth of the hash table. The fix utilizes the existing RCU protection on egress mapping lists to safely unlink nodes immediately and defer actual freeing until after an RCU grace period, preventing memory leaks while maintaining read-side lockless access.

Defensive priority

medium

Recommended defensive actions

• Apply kernel updates containing commits 7dddc74af369 and a52e122c9e4d when available from your Linux distribution
• Monitor VLAN device memory usage on systems with dynamic egress QoS configuration changes
• Review systems using `vconfig` or `ip link` commands that modify VLAN egress mappings for signs of memory pressure
• Consider restricting dynamic VLAN QoS reconfiguration to reduce exposure if patching is delayed

Evidence notes

Vulnerability description confirms memory leak via tombstone accumulation in egress priority hash. Fix confirmed in kernel stable commits. No CVSS score or severity assigned by NVD at time of disclosure.

Official resources