Description
In the Linux kernel, the following vulnerability has been resolved: neigh: let neigh_xmit take skb ownership neigh_xmit always releases the skb, except when no neighbour table is found. But even the first added user of neigh_xmit (mpls) relied on neigh_xmit to release the skb (or queue it for tx). sashiko reported: If neigh_xmit() is called with an uninitialized neighbor table (for example, NEIGH_ND_TABLE when IPv6 is disabled), it returns -EAFNOSUPPORT and bypasses its internal out_kfree_skb error path. Because the return value of neigh_xmit() is ignored here, does this leak the SKB? Assume full ownership and remove the last code path that doesn't xmit or free skb.
Affected products
| Vendor | Product | Versions |
|---|---|---|
| Linux | Linux | 4fd3d7d9e868ffbdb0e7a67c5c8e9dfdcd846a62 to <8a89054a1ec0767aec25ed2bbac933da6ba3cf5a; 4fd3d7d9e868ffbdb0e7a67c5c8e9dfdcd846a62 to <9247d59ca15bf60a57dca08103f055d8a4340877; 4fd3d7d9e868ffbdb0e7a67c5c8e9dfdcd846a62 to <0084712e0bee204b284510cdb63182fd5a30c2b7; 4fd3d7d9e868ffbdb0e7a67c5c8e9dfdcd846a62 to <63063ba60d2dc334e34f1e3f9271d7f3f6f30307; 4fd3d7d9e868ffbdb0e7a67c5c8e9dfdcd846a62 to <445e45a2c3a078316a62d2d331a570cf34ef5079; 4fd3d7d9e868ffbdb0e7a67c5c8e9dfdcd846a62 to <4438113be604ee67a7bf4f81da6e1cca41332ce4 |
| Linux | Linux | 4.1; 0 to <4.1; 6.1.175 to <=6.1.*; 6.6.141 to <=6.6.*; 6.12.91 to <=6.12.*; 6.18.33 to <=6.18.*; 7.0.10 to <=7.0.*; 7.1 to <=* |
References
- https://git.kernel.org/stable/c/8a89054a1ec0767aec25ed2bbac933da6ba3cf5a
- https://git.kernel.org/stable/c/9247d59ca15bf60a57dca08103f055d8a4340877
- https://git.kernel.org/stable/c/0084712e0bee204b284510cdb63182fd5a30c2b7
- https://git.kernel.org/stable/c/63063ba60d2dc334e34f1e3f9271d7f3f6f30307
- https://git.kernel.org/stable/c/445e45a2c3a078316a62d2d331a570cf34ef5079
- https://git.kernel.org/stable/c/4438113be604ee67a7bf4f81da6e1cca41332ce4
Generated from the official CVE List on 25 Jun 2026 10:14 UTC.