Description
In the Linux kernel, the following vulnerability has been resolved: neigh: let neigh_xmit take skb ownership neigh_xmit always releases the skb, except when no neighbour table is found. But even the first added user of neigh_xmit (mpls) relied on neigh_xmit to release the skb (or queue it for tx). sashiko reported: If neigh_xmit() is called with an uninitialized neighbor table (for example, NEIGH_ND_TABLE when IPv6 is disabled), it returns -EAFNOSUPPORT and bypasses its internal out_kfree_skb error path. Because the return value of neigh_xmit() is ignored here, does this leak the SKB? Assume full ownership and remove the last code path that doesn't xmit or free skb.
References (6)
Core 6
Core References
Scores
CVSS v3
7.5
EPSS
0.0054
EPSS Percentile
41.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
Status
published
Products (19)
linux/Kernel
4.1.0 - 6.1.175linux
linux/Kernel
6.13.0 - 6.18.33linux
linux/Kernel
6.19.0 - 7.0.10linux
linux/Kernel
6.2.0 - 6.6.141linux
linux/Kernel
6.7.0 - 6.12.91linux
Linux/Linux
< 4.1
Linux/Linux
4.1
Linux/Linux
4fd3d7d9e868ffbdb0e7a67c5c8e9dfdcd846a62 - 0084712e0bee204b284510cdb63182fd5a30c2b7
Linux/Linux
4fd3d7d9e868ffbdb0e7a67c5c8e9dfdcd846a62 - 4438113be604ee67a7bf4f81da6e1cca41332ce4
Linux/Linux
4fd3d7d9e868ffbdb0e7a67c5c8e9dfdcd846a62 - 445e45a2c3a078316a62d2d331a570cf34ef5079
... and 9 more
Published
Jun 24, 2026
Tracked Since
Jun 24, 2026