Skip to main content

Linux Kernel CVE-2026-52937

| EUVDEUVD-2026-38707 MEDIUM
Memory Leak (CWE-401)
2026-06-24 Linux GHSA-2xmc-f6qc-h4h9
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local access and low privileges to open macvtap device required; impact is purely confidentiality (kernel pointer disclosure), no integrity or availability consequence.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 08, 2026 - 22:34 vuln.today
CVSS changed
Jul 08, 2026 - 19:37 NVD
5.5 (MEDIUM)
Patch available
Jun 24, 2026 - 09:16 EUVD
CVE Published
Jun 24, 2026 - 07:14 nvd
MEDIUM 5.5
CVE Published
Jun 24, 2026 - 07:14 cve.org
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

tap: fix stack info leak in tap_ioctl() SIOCGIFHWADDR

In the SIOCGIFHWADDR path, tap_ioctl() copies 16 bytes of an uninitialised on-stack struct sockaddr_storage to userspace via ifr_hwaddr, but netif_get_mac_address() only writes sa_family and dev->addr_len (6 for Ethernet) bytes, leaving sa_data[6..13] uninitialised.

Those 8 trailing bytes leak kernel stack contents; SIOCGIFHWADDR on a macvtap chardev returns kernel .text and direct-map pointers, defeating KASLR.

Initialise ss at declaration.

AnalysisAI

Stack information disclosure in the Linux kernel's tap/macvtap driver exposes 8 bytes of uninitialized kernel stack contents to local users via the SIOCGIFHWADDR ioctl, leaking kernel .text and direct-map pointers that defeat KASLR. The affected code path in tap_ioctl() copies a 16-byte sockaddr_storage to userspace while netif_get_mac_address() initializes only 8 bytes (sa_family plus 6-byte Ethernet address), leaving the trailing 8 bytes unread. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Open macvtap character device
Delivery
Issue SIOCGIFHWADDR ioctl
Exploit
Read 8 uninitialized stack bytes from response
Execution
Parse kernel .text and physmap pointers
Persist
Compute kernel base address, defeat KASLR
Impact
Leverage KASLR bypass in separate LPE exploit chain

Vulnerability AssessmentAI

Exploitation Exploitation requires a local attacker with low-privilege access to a macvtap or tap character device (e.g., /dev/tapX). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The real-world risk of this vulnerability is moderate-to-significant despite the misleading CVSS vector provided with the advisory. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local user or malicious process running inside a virtual machine whose NIC is backed by a host macvtap device opens /dev/tapX and issues ioctl(fd, SIOCGIFHWADDR, &ifr). The returned ifr_hwaddr contains the expected MAC address in the first 8 bytes, but bytes 8-15 hold uninitialized kernel stack data from a previous stack frame - including kernel .text addresses and physmap pointers. …
Remediation The primary fix is to upgrade to a patched Linux kernel version: 7.1 or later, 7.0.11 or later in the 7.0.x stable series, or 6.18.34 or later in the 6.18.x stable series, per EUVD patch metadata. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-52937 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy