Skip to main content

Linux Kernel EUVDEUVD-2026-27589

| CVE-2026-43089 MEDIUM
Memory Leak (CWE-401)
2026-05-06 Linux GHSA-8xhw-c2pc-2vqq
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 01, 2026 - 17:27 vuln.today
CVSS changed
Jun 01, 2026 - 17:22 NVD
5.5 (MEDIUM)
Patch available
May 06, 2026 - 11:31 EUVD
CVE Published
May 06, 2026 - 07:40 nvd
MEDIUM 5.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

xfrm_user: fix info leak in build_mapping()

struct xfrm_usersa_id has a one-byte padding hole after the proto field, which ends up never getting set to zero before copying out to userspace. Fix that up by zeroing out the whole structure before setting individual variables.

AnalysisAI

Uninitialized kernel memory is leaked to userspace through the xfrm_user subsystem's build_mapping() function in the Linux Kernel, where a one-byte compiler padding hole in struct xfrm_usersa_id after the proto field is never zeroed before the structure is copied across the kernel/userspace boundary. Authenticated local users with access to XFRM netlink interfaces can read this stale padding byte, potentially extracting kernel stack or heap fragments usable as an information disclosure primitive. No public exploit exists and EPSS is 0.02% (5th percentile), indicating negligible real-world exploitation probability at this time.

Technical ContextAI

The vulnerability resides in the Linux kernel's XFRM (IPsec transform) subsystem, specifically the xfrm_user interface layer that handles netlink communication of IPsec security association metadata between kernel and userspace. The structure struct xfrm_usersa_id, defined in the kernel UAPI headers, contains a compiler-inserted one-byte alignment padding hole immediately following the proto field. In build_mapping(), this structure is assembled by assigning individual fields without first zeroing the entire allocation, leaving the padding byte populated with whatever residual data occupied that memory location - typically a fragment of kernel stack or slab heap. When the netlink subsystem copies this struct to userspace, the uninitialized padding byte travels with it. CWE-401 (Missing Release of Memory after Effective Lifetime) is the assigned weakness, though CWE-908 (Use of Uninitialized Resource) or CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) more precisely characterize the root cause class - this CWE assignment warrants scrutiny. The vulnerability was introduced at commit 3a2dfbe8acb154905fdc2fd03ec56df42e6c4cc4, traceable to Linux 2.6.29.

RemediationAI

The primary fix is to upgrade to a patched kernel version: 6.6.136 (stable), 6.12.83 (stable), 6.18.24 (stable), 6.19.14 (stable), or 7.0 and later. The fix zeroes the entire struct xfrm_usersa_id before populating individual fields, eliminating the uninitialized padding. Upstream fix commits are available at https://git.kernel.org/stable/c/f779a6b6cdb6e12baa0663063ac59ab2a8f20c0c, https://git.kernel.org/stable/c/1beb76b2053b68c491b78370794b8ff63c8f8c02, https://git.kernel.org/stable/c/d3125c541a96fb3c0fc7210112684baf22b6c24d, and others linked in the CVE references. If kernel upgrade is not immediately possible, restrict access to XFRM netlink operations using LSM policy (SELinux or AppArmor) to limit which processes can invoke IPsec security association interfaces - note this may disrupt legitimate IPsec VPN daemons (e.g., strongSwan, Libreswan) and requires careful policy validation before deployment. Disabling user namespace creation (sysctl kernel.unprivileged_userns_clone=0) reduces the attack surface for unprivileged users attempting to gain CAP_NET_ADMIN via namespace isolation.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-27589 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy