CVE-2026-52981 - Vulnerability Details

- neigh: let neigh_xmit take skb ownership

Description

In the Linux kernel, the following vulnerability has been resolved:

neigh: let neigh_xmit take skb ownership

neigh_xmit always releases the skb, except when no neighbour table is
found. But even the first added user of neigh_xmit (mpls) relied on
neigh_xmit to release the skb (or queue it for tx).

sashiko reported:
If neigh_xmit() is called with an uninitialized neighbor table (for
example, NEIGH_ND_TABLE when IPv6 is disabled), it returns -EAFNOSUPPORT
and bypasses its internal out_kfree_skb error path. Because the return
value of neigh_xmit() is ignored here, does this leak the SKB?

Assume full ownership and remove the last code path that doesn't
xmit or free skb.

Published: 2026-06-24

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`4fd3d7d9e868ffbdb0e7a67c5c8e9dfdcd846a62`	affected	< 8a89054a1ec0767aec25ed2bbac933da6ba3cf5a
`4fd3d7d9e868ffbdb0e7a67c5c8e9dfdcd846a62`	affected	< 9247d59ca15bf60a57dca08103f055d8a4340877
`4fd3d7d9e868ffbdb0e7a67c5c8e9dfdcd846a62`	affected	< 0084712e0bee204b284510cdb63182fd5a30c2b7
`4fd3d7d9e868ffbdb0e7a67c5c8e9dfdcd846a62`	affected	< 63063ba60d2dc334e34f1e3f9271d7f3f6f30307
`4fd3d7d9e868ffbdb0e7a67c5c8e9dfdcd846a62`	affected	< 445e45a2c3a078316a62d2d331a570cf34ef5079
`4fd3d7d9e868ffbdb0e7a67c5c8e9dfdcd846a62`	affected	< 4438113be604ee67a7bf4f81da6e1cca41332ce4

Linux

affected

Version	Status	Constraints
`4.1`	affected	—
`0`	unaffected	< 4.1
`6.1.175`	unaffected	≤ 6.1.*
`6.6.141`	unaffected	≤ 6.6.*
`6.12.91`	unaffected	≤ 6.12.*
`6.18.33`	unaffected	≤ 6.18.*
`7.0.10`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[4fd3d7d9e868ffbdb0e7a67c5c8e9dfdcd846a62,8a89054a1ec0767aec25ed2bbac933da6ba3cf5a)`	affected	code_commit	—
`[4fd3d7d9e868ffbdb0e7a67c5c8e9dfdcd846a62,9247d59ca15bf60a57dca08103f055d8a4340877)`	affected	code_commit	—
`[4fd3d7d9e868ffbdb0e7a67c5c8e9dfdcd846a62,0084712e0bee204b284510cdb63182fd5a30c2b7)`	affected	code_commit	—
`[4fd3d7d9e868ffbdb0e7a67c5c8e9dfdcd846a62,63063ba60d2dc334e34f1e3f9271d7f3f6f30307)`	affected	code_commit	—
`[4fd3d7d9e868ffbdb0e7a67c5c8e9dfdcd846a62,445e45a2c3a078316a62d2d331a570cf34ef5079)`	affected	code_commit	—
`[4fd3d7d9e868ffbdb0e7a67c5c8e9dfdcd846a62,4438113be604ee67a7bf4f81da6e1cca41332ce4)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`4.1`	affected	generic	—
`[0,4.1)`	unaffected	generic	—
`[6.1.175,6.2.0)`	unaffected	semver	—
`[6.6.141,6.7.0)`	unaffected	semver	—
`[6.12.91,6.13.0)`	unaffected	semver	—
`[7.0.10,7.1.0)`	unaffected	semver	—
`[0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00539.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/0084712e0bee204b284510cdb63182fd5a30c2b7
https://git.kernel.org/stable/c/4438113be604ee67a7bf4f81da6e1cca41332ce4
https://git.kernel.org/stable/c/445e45a2c3a078316a62d2d331a570cf34ef5079
https://git.kernel.org/stable/c/63063ba60d2dc334e34f1e3f9271d7f3f6f30307
https://git.kernel.org/stable/c/8a89054a1ec0767aec25ed2bbac933da6ba3cf5a
https://git.kernel.org/stable/c/9247d59ca15bf60a57dca08103f055d8a4340877
https://lore.kernel.org/linux-cve-announce/2026062441-CVE-2026-52981-dce5@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-52981
https://www.cve.org/CVERecord?id=CVE-2026-52981

History

Sun, 28 Jun 2026 08:00:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`	cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Sat, 27 Jun 2026 03:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-401

Sat, 27 Jun 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-772
References		https://lore.kernel.org/linux-cve-announce/2026062441-CVE-2026-52981-dce5@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-52981 https://www.cve.org/CVERecord?id=CVE-2026-52981
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Wed, 24 Jun 2026 19:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-401

Wed, 24 Jun 2026 17:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: neigh: let neigh_xmit take skb ownership neigh_xmit always releases the skb, except when no neighbour table is found. But even the first added user of neigh_xmit (mpls) relied on neigh_xmit to release the skb (or queue it for tx). sashiko reported: If neigh_xmit() is called with an uninitialized neighbor table (for example, NEIGH_ND_TABLE when IPv6 is disabled), it returns -EAFNOSUPPORT and bypasses its internal out_kfree_skb error path. Because the return value of neigh_xmit() is ignored here, does this leak the SKB? Assume full ownership and remove the last code path that doesn't xmit or free skb.
Title		neigh: let neigh_xmit take skb ownership
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0084712e0bee204b284510cdb63182fd5a30c2b7 https://git.kernel.org/stable/c/4438113be604ee67a7bf4f81da6e1cca41332ce4 https://git.kernel.org/stable/c/445e45a2c3a078316a62d2d331a570cf34ef5079 https://git.kernel.org/stable/c/63063ba60d2dc334e34f1e3f9271d7f3f6f30307 https://git.kernel.org/stable/c/8a89054a1ec0767aec25ed2bbac933da6ba3cf5a https://git.kernel.org/stable/c/9247d59ca15bf60a57dca08103f055d8a4340877

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-24T16:28:57.074Z

Updated: 2026-06-28T06:37:33.379Z

Reserved: 2026-06-09T07:44:35.376Z

Link: CVE-2026-52981

Vulnrichment

No data.

NVD

No data.

Redhat

Severity : Moderate

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-52981 - Bugzilla

OpenCVE Enrichment

Updated: 2026-06-28T13:45:06Z

Weaknesses

CWE-772

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object