CVE-2026-52981
neigh: let neigh_xmit take skb ownership
Vexday Risk Score
3Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS —EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch —
Lifecycle
24 Jun 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
In the Linux kernel, the following vulnerability has been resolved:
neigh: let neigh_xmit take skb ownership
neigh_xmit always releases the skb, except when no neighbour table is
found. But even the first added user of neigh_xmit (mpls) relied on
neigh_xmit to release the skb (or queue it for tx).
sashiko reported:
If neigh_xmit() is called with an uninitialized neighbor table (for
example, NEIGH_ND_TABLE when IPv6 is disabled), it returns -EAFNOSUPPORT
and bypasses its internal out_kfree_skb error path. Because the return
value of neigh_xmit() is ignored here, does this leak the SKB?
Assume full ownership and remove the last code path that doesn't
xmit or free skb.
Affected products
Linux · LinuxWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://git.kernel.org/stable/c/0084712e0bee204b284510cdb63182fd5a30c2b7https://git.kernel.org/stable/c/4438113be604ee67a7bf4f81da6e1cca41332ce4https://git.kernel.org/stable/c/445e45a2c3a078316a62d2d331a570cf34ef5079https://git.kernel.org/stable/c/63063ba60d2dc334e34f1e3f9271d7f3f6f30307https://git.kernel.org/stable/c/8a89054a1ec0767aec25ed2bbac933da6ba3cf5ahttps://git.kernel.org/stable/c/9247d59ca15bf60a57dca08103f055d8a4340877