A memory leak in the Linux kernel tap driver exposes systems to potential denial-of-service conditions through resource exhaustion.

A flaw in the tap_get_user_xdp() function fails to properly free memory pages when processing rejected network frames. This occurs when frames are shorter than the Ethernet header length or during failed memory allocations, leading to a persistent memory leak.

The CVSS score of 7.4 underscores a high risk to system stability. Because the Linux kernel is foundational to infrastructure, this vulnerability could be leveraged to degrade or crash critical services by exhausting memory, resulting in significant operational downtime.

Immediate Action: Apply the latest kernel security updates provided by your distribution vendor (e.g., Debian or Red Hat).

Proactive Monitoring: Monitor kernel memory usage and look for signs of memory fragmentation or depletion that could indicate a leak in the tap/xdp subsystems.

Compensating Controls: Restrict access to network interfaces and tap/tun devices to authorized users or containers only to limit the attack surface for triggering these error paths.

Public Exploit Available: false

This kernel-level vulnerability warrants an urgent update cycle. Security teams should ensure that all Linux distributions managing network-intensive workloads are patched to the versions addressing this memory leak to maintain system integrity and prevent denial-of-service attacks.