CVE-2026-52981 - Vulnerability Details

In the Linux kernel, the following vulnerability has been resolved: neigh: let neigh_xmit take skb ownership neigh_xmit always releases the skb, except when no neighbour table is found. But even the first added user of neigh_xmit (mpls) relied on neigh_xmit to release the skb (or queue it for tx). sashiko reported: If neigh_xmit() is called with an uninitialized neighbor table (for example, NEIGH_ND_TABLE when IPv6 is disabled), it returns -EAFNOSUPPORT and bypasses its internal out_kfree_skb error path. Because the return value of neigh_xmit() is ignored here, does this leak the SKB? Assume full ownership and remove the last code path that doesn't xmit or free skb.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Vendors	Products
Linux	Linux Kernel

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products

References

Link	Providers
https://git.kernel.org/stable/c/0084712e0bee204b284510cdb63182fd5a30c2b7
https://git.kernel.org/stable/c/4438113be604ee67a7bf4f81da6e1cca41332ce4
https://git.kernel.org/stable/c/445e45a2c3a078316a62d2d331a570cf34ef5079
https://git.kernel.org/stable/c/63063ba60d2dc334e34f1e3f9271d7f3f6f30307
https://git.kernel.org/stable/c/8a89054a1ec0767aec25ed2bbac933da6ba3cf5a
https://git.kernel.org/stable/c/9247d59ca15bf60a57dca08103f055d8a4340877

History

Wed, 24 Jun 2026 19:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-401

Wed, 24 Jun 2026 17:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: neigh: let neigh_xmit take skb ownership neigh_xmit always releases the skb, except when no neighbour table is found. But even the first added user of neigh_xmit (mpls) relied on neigh_xmit to release the skb (or queue it for tx). sashiko reported: If neigh_xmit() is called with an uninitialized neighbor table (for example, NEIGH_ND_TABLE when IPv6 is disabled), it returns -EAFNOSUPPORT and bypasses its internal out_kfree_skb error path. Because the return value of neigh_xmit() is ignored here, does this leak the SKB? Assume full ownership and remove the last code path that doesn't xmit or free skb.
Title		neigh: let neigh_xmit take skb ownership
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0084712e0bee204b284510cdb63182fd5a30c2b7 https://git.kernel.org/stable/c/4438113be604ee67a7bf4f81da6e1cca41332ce4 https://git.kernel.org/stable/c/445e45a2c3a078316a62d2d331a570cf34ef5079 https://git.kernel.org/stable/c/63063ba60d2dc334e34f1e3f9271d7f3f6f30307 https://git.kernel.org/stable/c/8a89054a1ec0767aec25ed2bbac933da6ba3cf5a https://git.kernel.org/stable/c/9247d59ca15bf60a57dca08103f055d8a4340877

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-24T16:28:57.074Z

Updated: 2026-06-24T16:28:57.074Z

Reserved: 2026-06-09T07:44:35.376Z

Link: CVE-2026-52981

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-24T18:45:05Z

Metrics

Affected Vendors & Products

Metrics

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object