Skip to main content

Linux Kernel CVE-2026-46182

| EUVDEUVD-2026-32809 MEDIUM
Memory Leak (CWE-401)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-2vh6-g7pq-9fgv
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local low-privilege access to device node required; impact is confidentiality-only (kernel stack disclosure); no integrity or availability consequence applies.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
SUSE
3.3 LOW
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 11, 2026 - 03:08 vuln.today
CVSS changed
Jun 11, 2026 - 03:07 NVD
5.5 (MEDIUM)
Patch available
May 28, 2026 - 12:01 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)
CVE Published
May 28, 2026 - 10:16 nvd
MEDIUM 5.5

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

pseries/papr-hvpipe: Prevent kernel stack memory leak to userspace

The hdr variable is allocated on the stack and only hdr.version and hdr.flags are initialized explicitly. Because the struct papr_hvpipe_hdr contains reserved padding bytes (reserved[3] and reserved2[40]), these could leak the uninitialized bytes to userspace after copy_to_user().

This patch fixes that by initializing the whole struct to 0.

AnalysisAI

Kernel stack memory disclosure in the Linux kernel's pseries/papr-hvpipe driver exposes up to 43 bytes of uninitialized stack data to unprivileged local users on IBM Power (pseries) systems. The struct papr_hvpipe_hdr reserved padding fields (reserved[3] and reserved2[40]) are never zeroed before copy_to_user() copies the full structure to userspace, allowing a local attacker to harvest stale kernel stack contents - potentially including ASLR offsets or residual cryptographic material. No public exploit exists and no CISA KEV listing applies; EPSS at 0.02% (4th percentile) reflects low exploitation probability consistent with the narrow pseries-only deployment scope. Vendor-released patches are confirmed in stable branches 6.18.30, 7.0.7, and 7.1-rc3.

Technical ContextAI

The affected subsystem is pseries/papr-hvpipe, a driver in the IBM Power Systems (pseries) platform support tree implementing PAPR (Power Architecture Platform Reference) hypervisor pipes - an inter-partition communication channel unique to IBM POWER virtualization environments. The root cause is that the hdr variable of type struct papr_hvpipe_hdr is allocated on the kernel stack and only the version and flags members are explicitly assigned, leaving 43 bytes of reserved padding (reserved[3] + reserved2[40]) with whatever data previously occupied that stack frame. copy_to_user() copies the full structure verbatim, including the stale padding bytes, to the calling userspace process. The assigned CWE-401 (Missing Release of Memory after Effective Lifetime) is a poor fit here - the vulnerability is more precisely CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) or CWE-909 (Missing Initialization of Resource), since the harm is confidentiality loss, not resource exhaustion. Affected CPE: cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* with the introducing commit identified as cebdb522fd3edd1fe05f7b4a74a27da7dd0f8d86.

RemediationAI

The primary fix is to upgrade to a patched kernel release: Linux 6.18.30, Linux 7.0.7, or Linux 7.1-rc3 (or any subsequent release). The upstream fix initializes the entire papr_hvpipe_hdr structure to zero via memset or an initializer before populating only version and flags, eliminating all uninitialized padding. Patch commits are available at https://git.kernel.org/stable/c/0479b6e9f999cc1cbad7d9f09f574fc387e605d5 (7.0.x), https://git.kernel.org/stable/c/cefeed44296261173a806bef988b26bc565da4be (7.1-rc3), and https://git.kernel.org/stable/c/f88f8e4485b437e0a2f96a7ff1f88aa22d925659 (6.18.x). Where immediate patching is not possible, restrict access to the papr-hvpipe device node using tightened file permissions (e.g., chmod 600) or udev rules that deny access to non-root users - this trades off functionality for processes legitimately using hypervisor pipes against blocking exploitation. This compensating control is temporary and does not address the root cause. Organizations not running IBM pseries virtualized workloads require no action.

Vendor StatusVendor

SUSE

Severity: Low
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected

Share

CVE-2026-46182 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy