Skip to main content

Linux EUVDEUVD-2026-15381

| CVE-2026-23384 MEDIUM
Memory Leak (CWE-401)
2026-03-25 Linux GHSA-6pc7-mm64-g3v9
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
CVSS changed
Apr 24, 2026 - 18:52 NVD
5.5 (MEDIUM)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 10:45 euvd
EUVD-2026-15381
Analysis Generated
Mar 25, 2026 - 10:45 vuln.today
CVE Published
Mar 25, 2026 - 10:28 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

RDMA/ionic: Fix kernel stack leak in ionic_create_cq()

struct ionic_cq_resp resp { __u32 cqid[2]; // offset 0 - PARTIALLY SET (see below) __u8 udma_mask; // offset 8 - SET (resp.udma_mask = vcq->udma_mask) __u8 rsvd[7]; // offset 9 - NEVER SET <- LEAK };

rsvd[7]: 7 bytes of stack memory leaked unconditionally.

cqid[2]: The loop at line 1256 iterates over udma_idx but skips indices where !(vcq->udma_mask & BIT(udma_idx)). The array has 2 entries but udma_count could be 1, meaning cqid[1] might never be written via ionic_create_cq_common(). If udma_mask only has bit 0 set, cqid[1] (4 bytes) is also leaked. So potentially 11 bytes leaked.

AnalysisAI

A kernel stack memory leak exists in the Linux kernel's RDMA/ionic driver within the ionic_create_cq() function, where uninitialized stack memory is copied to userspace via the ionic_cq_resp structure. An unprivileged local attacker with access to RDMA/ionic devices can trigger this vulnerability to leak up to 11 bytes of sensitive kernel stack data, potentially revealing kernel addresses, cryptographic material, or other sensitive information useful for further exploitation. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog, and no public proof-of-concept has been disclosed; however, patches are available across multiple stable kernel branches.

Technical ContextAI

The vulnerability resides in the RDMA/ionic subsystem (Remote Direct Memory Access over Ionic network adapter), a high-performance data transfer mechanism in the Linux kernel. The affected code initializes an ionic_cq_resp structure (a completion queue response) that is copied back to userspace without fully initializing all fields. Specifically, the rsvd[7] reserved field and potentially cqid[1] element of a 2-element array remain uninitialized due to conditional logic that may skip writing to cqid[1] when udma_mask has fewer than 2 bits set. This is a classic CWE-457 (Use of Uninitialized Variable) or CWE-200 (Information Exposure) vulnerability where kernel stack memory is inadvertently disclosed to unprivileged userspace processes. The CPE identifiers (cpe:2.3:a:linux:linux) indicate this affects all Linux kernel versions until patched.

RemediationAI

Apply the latest stable kernel patches by upgrading to a kernel version that includes commits a6f3e0fa8e862f220c26c2f27e5ddc42eb82ad3e, 547d0b07ad73915b323bc21f85c5d3252bebbbcf, or faa72102b178c7ae6c6afea23879e7c84fc59b4e from the Linux kernel stable tree (https://git.kernel.org/stable/). Most Linux distributions will backport these fixes into their respective stable kernel versions; check your vendor's security advisories for specific patch release numbers. For immediate mitigation without patching, restrict access to RDMA/ionic device files (typically /dev/infiniband/*) to trusted users only by modifying device permissions or using SELinux/AppArmor policies. Disable the ionic RDMA driver (modprobe -r ionic) if RDMA functionality is not required on the system. As a temporary measure, enforce container/namespace isolation to prevent untrusted local processes from accessing RDMA devices.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye not-affected - -
bullseye (security) fixed 5.10.251-1 -
bookworm not-affected - -
bookworm (security) fixed 6.1.164-1 -
trixie not-affected - -
trixie (security) fixed 6.12.74-2 -
forky, sid fixed 6.19.8-1 -
(unstable) fixed 6.19.8-1 -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-15381 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy