In the Linux kernel, the following vulnerability has been resolved:
tun: zero the whole vnet header in tunputuser()
tunputuser() declares an on-stack struct virtionethdrv1hashtunnel without zeroing it. For a non-tunnel skb, virtionethdrtnlfromskb() only initializes the first 10 bytes (sizeof(struct virtionethdr)), leaving bytes 10..23 (num_buffers and the hash/tunnel fields) as stack garbage.
An unprivileged user can set the vnet header size to 24 with TUNSETVNETHDRSZ, so _tunvnethdrput() copies all 24 bytes of the partially-initialized struct to userspace, leaking 14 bytes of kernel stack on every read of a non-tunnel packet.
Fix it the same way tungetuser() already does by zeroing the whole header right after declaration.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52940.json",
"cna_assigner": "Linux"
}