PatchSiren cyber security CVE debrief
CVE-2026-52940 Linux CVE debrief
A vulnerability was found in the Linux kernel's tun_put_user() function, which did not zero the whole vnet header, leading to a potential information leak of 14 bytes of kernel stack on every read of a non-tunnel packet. The vulnerability has been resolved by zeroing the whole vnet header in tun_put_user(). Linux kernel users and administrators should be aware of this vulnerability and take steps to mitigate it. The vulnerability is related to the TUNSETVNETHDRSZ operation, which allows an unprivileged user to set the vnet header size to 24. The __tun_vnet_hdr_put() function copies all 24 bytes of the partially-initialized struct to userspace, potentially leaking kernel stack information.
- Vendor
- Linux
- Product
- Unknown
- CVSS
- Unknown
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-24
- Original CVE updated
- 2026-07-07
- Advisory published
- 2026-06-24
- Advisory updated
- 2026-07-07
Who should care
Linux kernel users and administrators should be aware of this vulnerability and take steps to mitigate it. The vulnerability affects the Linux kernel's tun_put_user() function and can be exploited by an unprivileged user. The vulnerability has been resolved by zeroing the whole vnet header in tun_put_user().
Technical summary
The tun_put_user() function in the Linux kernel did not properly initialize the virtio_net_hdr_v1_hash_tunnel struct, leading to a potential information leak. An unprivileged user can set the vnet header size to 24 with TUNSETVNETHDRSZ, allowing __tun_vnet_hdr_put() to copy all 24 bytes of the partially-initialized struct to userspace. The vulnerability has been resolved by zeroing the whole vnet header in tun_put_user(). This ensures that the vnet header is properly initialized, preventing the information leak.
Defensive priority
Medium
Recommended defensive actions
- Update the Linux kernel to the latest version
- Use a secure TUNSETVNETHDRSZ value
- Monitor for potential exploitation attempts
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
Evidence notes
The CVE record was published on 2026-06-24T08:16:24.287Z and last modified on 2026-07-07T18:35:34.340Z. The NVD entry is currently Awaiting Analysis. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the official advisory. The Linux kernel's tun_put_user() function did not properly initialize the virtio_net_hdr_v1_hash_tunnel struct, potentially leaking 14 bytes of kernel stack on every read of a non-tunnel packet. The vulnerability has been resolved by zeroing the whole vnet header in tun_put_user().
Official resources
-
CVE-2026-52940 CVE record
CVE.org
-
CVE-2026-52940 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67
-
Source reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67
-
Source reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-24T08:16:24.287Z and has not been modified since then. The NVD entry is currently Awaiting Analysis.