PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-52940 Linux CVE debrief

A vulnerability was found in the Linux kernel's tun_put_user() function, which did not zero the whole vnet header, leading to a potential information leak of 14 bytes of kernel stack on every read of a non-tunnel packet. The vulnerability has been resolved by zeroing the whole vnet header in tun_put_user(). Linux kernel users and administrators should be aware of this vulnerability and take steps to mitigate it. The vulnerability is related to the TUNSETVNETHDRSZ operation, which allows an unprivileged user to set the vnet header size to 24. The __tun_vnet_hdr_put() function copies all 24 bytes of the partially-initialized struct to userspace, potentially leaking kernel stack information.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-24
Original CVE updated
2026-07-07
Advisory published
2026-06-24
Advisory updated
2026-07-07

Who should care

Linux kernel users and administrators should be aware of this vulnerability and take steps to mitigate it. The vulnerability affects the Linux kernel's tun_put_user() function and can be exploited by an unprivileged user. The vulnerability has been resolved by zeroing the whole vnet header in tun_put_user().

Technical summary

The tun_put_user() function in the Linux kernel did not properly initialize the virtio_net_hdr_v1_hash_tunnel struct, leading to a potential information leak. An unprivileged user can set the vnet header size to 24 with TUNSETVNETHDRSZ, allowing __tun_vnet_hdr_put() to copy all 24 bytes of the partially-initialized struct to userspace. The vulnerability has been resolved by zeroing the whole vnet header in tun_put_user(). This ensures that the vnet header is properly initialized, preventing the information leak.

Defensive priority

Medium

Recommended defensive actions

  • Update the Linux kernel to the latest version
  • Use a secure TUNSETVNETHDRSZ value
  • Monitor for potential exploitation attempts
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The CVE record was published on 2026-06-24T08:16:24.287Z and last modified on 2026-07-07T18:35:34.340Z. The NVD entry is currently Awaiting Analysis. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the official advisory. The Linux kernel's tun_put_user() function did not properly initialize the virtio_net_hdr_v1_hash_tunnel struct, potentially leaking 14 bytes of kernel stack on every read of a non-tunnel packet. The vulnerability has been resolved by zeroing the whole vnet header in tun_put_user().

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-24T08:16:24.287Z and has not been modified since then. The NVD entry is currently Awaiting Analysis.