Skip to main content

Linux EUVDEUVD-2026-15298

| CVE-2026-23335 MEDIUM
Memory Leak (CWE-401)
2026-03-25 Linux
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
5.2 MEDIUM
qualitative
Red Hat
3.3 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
CVSS changed
Apr 23, 2026 - 21:27 NVD
5.5 (MEDIUM)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 10:45 euvd
EUVD-2026-15298
Analysis Generated
Mar 25, 2026 - 10:45 vuln.today
CVE Published
Mar 25, 2026 - 10:27 nvd
N/A

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

RDMA/irdma: Fix kernel stack leak in irdma_create_user_ah()

struct irdma_create_ah_resp { // 8 bytes, no padding __u32 ah_id; // offset 0 - SET (uresp.ah_id = ah->sc_ah.ah_info.ah_idx) __u8 rsvd[4]; // offset 4 - NEVER SET <- LEAK };

rsvd[4]: 4 bytes of stack memory leaked unconditionally. Only ah_id is assigned before ib_respond_udata().

The reserved members of the structure were not zeroed.

AnalysisAI

A kernel stack memory leak exists in the Linux kernel's RDMA/irdma driver within the irdma_create_user_ah() function, where 4 bytes of uninitialized kernel stack memory are leaked to user space through the rsvd (reserved) field of the irdma_create_ah_resp structure. This information disclosure vulnerability affects all Linux kernel versions with the vulnerable irdma driver code, allowing any unprivileged user with access to RDMA operations to read sensitive kernel stack data. While no CVSS score or EPSS metric is currently available, the vulnerability is classified as Information Disclosure and has been patched across multiple stable kernel branches, indicating upstream recognition and remediation.

Technical ContextAI

The vulnerability resides in the Linux kernel's RDMA (Remote Direct Memory Access) InfiniBand driver for Intel RDMA Engine (irdma), specifically in the user-space AH (Address Handle) creation code path. The irdma_create_ah_resp structure is a kernel-to-userspace response object that should be fully initialized before being copied to user space via ib_respond_udata(). The structure contains two fields: ah_id (4 bytes, set by the kernel) and rsvd[4] (4 bytes of reserved space, never initialized). This is an instance of CWE-457 (Use of Uninitialized Variable) or CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), where kernel memory is inadvertently exposed to unprivileged user space. The CPE designation (cpe:2.3:a:linux:linux) indicates this affects the Linux kernel itself across all architectures that support the irdma driver.

RemediationAI

Update the Linux kernel to a version that includes one of the published patches, accessible via https://git.kernel.org/stable/. Identify your kernel version (uname -r) and check the stable kernel repository to confirm whether your branch includes the fix commits listed in the references. For distributions, check for kernel security updates from your vendor (Red Hat, Ubuntu, Debian, SUSE, etc.) that incorporate these patches. If immediate patching is not feasible, restrict access to RDMA operations to trusted users only by adjusting file permissions on /dev/infiniband/* devices and using LSM-based access controls (AppArmor, SELinux) to limit which processes can invoke irdma operations. This is a low-impact mitigation since the leak is information-only, but patching is strongly preferred as the fix is straightforward.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye not-affected - -
bullseye (security) fixed 5.10.251-1 -
bookworm vulnerable 6.1.159-1 -
bookworm (security) vulnerable 6.1.164-1 -
trixie vulnerable 6.12.73-1 -
trixie (security) vulnerable 6.12.74-2 -
forky, sid fixed 6.19.8-1 -
(unstable) fixed 6.19.8-1 -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-15298 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy