Skip to main content

Linux Kernel CVE-2026-45865

| EUVDEUVD-2026-32331 MEDIUM
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-6j35-qr59-823q
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
6.1 MEDIUM

Local low-privilege access required; uninitialized stack byte leaks kernel memory (C:L); availability impact high if callers misinterpret garbage read data.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
4.0 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 25, 2026 - 21:27 vuln.today
CVSS changed
Jun 25, 2026 - 21:22 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:16 nvd
UNKNOWN (no severity yet)
CVE Published
May 27, 2026 - 14:16 nvd
MEDIUM 5.5

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

mctp i2c: initialise event handler read bytes

Set a 0xff value for i2c reads of an mctp-i2c device. Otherwise reads will return "val" from the i2c bus driver. For i2c-aspeed and i2c-npcm7xx that is a stack uninitialised u8.

Tested with "i2ctransfer -y 1 r10@0x34" where 0x34 is a mctp-i2c instance, now it returns all 0xff.

AnalysisAI

Uninitialized stack memory exposure in the Linux kernel's MCTP-over-I2C (mctp-i2c) driver affects systems using i2c-aspeed or i2c-npcm7xx bus drivers, particularly server/BMC hardware with Aspeed and Nuvoton chipsets. When a read is performed against an mctp-i2c device instance, the event handler fails to initialize the 'val' byte before returning it to the caller, exposing whatever residual value sits on the kernel stack at that moment. No public exploit has been identified at time of analysis, and with an EPSS of 0.03% (10th percentile), real-world exploitation pressure is currently negligible; however, kernel stack data leakage is a meaningful information disclosure primitive on affected hardware.

Technical ContextAI

MCTP (Management Component Transport Protocol, DMTF DSP0236) is the standard protocol for out-of-band management plane communication between host firmware and baseboard management controllers (BMCs). The mctp-i2c binding (drivers/net/mctp/mctp-i2c.c) exposes MCTP endpoints over I2C buses. The vulnerability is a classic CWE-457 (Use of Uninitialized Variable): in the event handler read path, a local u8 variable 'val' is passed to the I2C bus driver for population but is never explicitly zeroed beforehand. On i2c-aspeed (Aspeed BMC SoC I2C controller) and i2c-npcm7xx (Nuvoton NPCM7xx I2C controller), the bus driver does not guarantee initialization of the buffer, so whatever byte occupies that stack slot is returned to the caller. The fix is straightforward: pre-initialize 'val' to 0xff so reads return a defined sentinel value. Affected CPEs: cpe:2.3:o:linux:linux_kernel covering the range from the introducing commit f5b8abf9fc3d through the stable-branch fix commits listed in NVD references.

RemediationAI

Vendor-released patch: upgrade to Linux kernel 6.1.165, 6.6.128, 6.12.75, 6.18.14, 6.19.4, or 7.0 - the respective stable-branch fix commits are referenced above and at https://nvd.nist.gov/vuln/detail/CVE-2026-45865. For systems where a kernel upgrade is not immediately feasible, the compensating control is to unload or blacklist the mctp-i2c kernel module ('modprobe -r mctp-i2c' and add 'blacklist mctp-i2c' to /etc/modprobe.d/), which eliminates the vulnerable code path entirely; the trade-off is loss of MCTP management-plane communication over I2C, which disables BMC-to-host MCTP messaging on affected hardware. If MCTP functionality is required, restrict read access to the I2C device nodes (e.g., tighten /dev/i2c-* permissions and remove non-administrative users from the 'i2c' group) to limit who can trigger the uninitialized read path, reducing information-disclosure exposure at the cost of narrowing operational access.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected

Share

CVE-2026-45865 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy