CVE-2026-52940: 
Linux Kernel Analyse et atténuation des vulnérabilités

CVE-2026-52940 is a kernel stack memory disclosure vulnerability in the Linux kernel's TUN driver (tun_put_user() function). The flaw causes 14 bytes of uninitialized kernel stack memory to be leaked to unprivileged userspace on every read of a non-tunnel packet. It was published on June 24, 2026, and affects Linux kernel versions starting from commit 288f30435132d2f9e7a29ec9b9745a4f9dc7fd37 through the 6.17, 6.18.x (before 6.18.36), and 7.0.x (before 7.0.13) series. The CVSS category is estimated as HIGH (Feedly, GitHub Advisory).

The root cause is an uninitialized stack variable (CWE-200 / information exposure): tun_put_user() declares an on-stack struct virtio_net_hdr_v1_hash_tunnel without zeroing it. For non-tunnel socket buffers (skbs), virtio_net_hdr_tnl_from_skb() only initializes the first 10 bytes (the size of struct virtio_net_hdr), leaving bytes 10–23 — covering num_buffers and hash/tunnel fields — as uninitialized stack garbage. An unprivileged user can invoke TUNSETVNETHDRSZ to set the vnet header size to 24 bytes, after which __tun_vnet_hdr_put() copies all 24 bytes of the partially-initialized structure to userspace, exposing 14 bytes of kernel stack memory per packet read. The fix mirrors the approach already used in tun_get_user(): zero the entire header structure immediately after declaration (GitHub Advisory, Feedly).

Successful exploitation allows any unprivileged local user with access to a TUN device to read 14 bytes of kernel stack memory per non-tunnel packet, which may contain sensitive data such as kernel pointers, cryptographic material, or other process data. While the per-read leak is small, repeated reads can accumulate significant information disclosure, potentially aiding in bypassing kernel ASLR or other memory-layout protections. The vulnerability does not directly enable code execution or privilege escalation, but the leaked kernel memory could serve as a stepping stone for more complex exploit chains (Feedly).

1. Gain local access: Obtain an unprivileged user account on a Linux system running a vulnerable kernel version (6.17 or 6.18.x before 6.18.36, or 7.0.x before 7.0.13) with access to a TUN device (e.g., /dev/net/tun).
2. Open TUN device: Open the TUN device file descriptor and configure a TUN interface using standard ioctl calls (TUNSETIFF).
3. Set vnet header size: Issue the TUNSETVNETHDRSZ ioctl with a value of 24 to instruct the kernel to copy a 24-byte vnet header to userspace on each read.
4. Trigger packet reads: Read non-tunnel packets from the TUN device. On each read, __tun_vnet_hdr_put() copies the full 24-byte virtio_net_hdr_v1_hash_tunnel structure — including 14 bytes of uninitialized kernel stack — to the userspace buffer.
5. Extract leaked data: Parse the received buffer beyond the first 10 bytes to extract the 14 bytes of kernel stack memory, which may contain kernel pointers or other sensitive values useful for further exploitation (Feedly, GitHub Advisory).

• Logs: Unusual or repeated ioctl calls with TUNSETVNETHDRSZ (value 24) from unprivileged processes visible in audit logs (auditd with syscall auditing enabled).
• Process: Unprivileged processes opening /dev/net/tun and performing high-frequency reads without corresponding network traffic generation.
• Network: Unexpected TUN interface creation by non-administrative users or processes not associated with known VPN or virtualization software.

Apply the upstream Linux kernel patches that zero the entire virtio_net_hdr_v1_hash_tunnel structure immediately after declaration in tun_put_user(). Fixed versions include Linux kernel 6.18.36, 7.0.13, and 7.1 (and later). The relevant fix commits are 5fd1fa5a4254bfdd70571c77f5e3bcb4e43738d5, 585cb85e9a29185be05f326369573c2663cf4380, and 7f2fcff15e99bb852f6967396ed12b38376e2c8d. As a workaround, restrict unprivileged user access to TUN devices (e.g., via file permissions on /dev/net/tun or Linux capabilities/namespaces) to reduce exposure until patching is possible (GitHub Advisory, Feedly).