Skip to main content

Linux Kernel EUVDEUVD-2026-32891

| CVE-2026-46132 MEDIUM
Use of Uninitialized Resource (CWE-908)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-m5g9-vgm2-5cvw
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local unprivileged user can repeatably leak kernel stack bytes; no integrity or availability impact exists.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative
Red Hat
7.0 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 24, 2026 - 20:24 vuln.today
CVSS changed
Jun 24, 2026 - 18:07 NVD
5.5 (MEDIUM)
Patch available
May 28, 2026 - 12:31 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
MEDIUM 5.5
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo

rtnl_fill_vfinfo() declares struct ifla_vf_broadcast on the stack without initialisation:

struct ifla_vf_broadcast vf_broadcast;

The struct contains a single fixed 32-byte field:

/* include/uapi/linux/if_link.h */ struct ifla_vf_broadcast { __u8 broadcast[32]; };

The function then copies dev->broadcast into it using dev->addr_len as the length:

memcpy(vf_broadcast.broadcast, dev->broadcast, dev->addr_len);

On Ethernet devices (the overwhelming majority of SR-IOV NICs) dev->addr_len is 6, so only the first 6 bytes of broadcast[] are written. The remaining 26 bytes retain whatever was previously on the kernel stack. The full struct is then handed to userspace via:

nla_put(skb, IFLA_VF_BROADCAST, sizeof(vf_broadcast), &vf_broadcast)

leaking up to 26 bytes of uninitialised kernel stack per VF per RTM_GETLINK request, repeatable.

The other vf_* structs in the same function are explicitly zeroed for exactly this reason - see the memset() calls for ivi, vf_vlan_info, node_guid and port_guid a few lines above. vf_broadcast was simply missed when it was added.

Reachability: any unprivileged local process can open AF_NETLINK / NETLINK_ROUTE without capabilities and send RTM_GETLINK with an IFLA_EXT_MASK attribute carrying RTEXT_FILTER_VF. The kernel walks each VF and emits IFLA_VF_BROADCAST, leaking 26 bytes of stack per VF per request. Stack residue at this call site can include return addresses and transient sensitive data; KASAN with stack instrumentation, or KMSAN, will flag the nla_put() when reproduced.

Zero the on-stack struct before the partial memcpy, matching the existing pattern used for the other vf_* structs in the same function.

AnalysisAI

Kernel stack information leak in Linux rtnetlink's rtnl_fill_vfinfo() exposes up to 26 bytes of uninitialized kernel stack memory to any unprivileged local user on systems with SR-IOV NICs. The flaw exists because struct ifla_vf_broadcast (32 bytes) is declared on the stack without zeroing, only the first 6 bytes are filled via memcpy on Ethernet devices, and the full struct is transmitted to userspace via RTM_GETLINK responses. No public exploit is identified at time of analysis and EPSS is 0.02% (5th percentile), but the attack is trivially repeatable without any special privileges, making it a practical KASLR bypass primitive or sensitive-data harvesting tool on multi-tenant or shared-access Linux systems.

Technical ContextAI

The vulnerability resides in net/core/rtnetlink.c within the rtnl_fill_vfinfo() function, which populates Netlink attributes for Virtual Function (VF) information in response to RTM_GETLINK requests. The affected struct is ifla_vf_broadcast (defined in include/uapi/linux/if_link.h), which contains a single 32-byte broadcast[] array. On Ethernet NICs (the dominant SR-IOV hardware), dev->addr_len is 6, so memcpy writes only the first 6 bytes; the remaining 26 bytes retain arbitrary kernel stack residue. CWE-908 (Use of Uninitialized Resource) precisely describes this root cause - the variable is used (passed to nla_put()) before it is fully initialized. Notably, the other vf_* structs in the same function (ivi, vf_vlan_info, node_guid, port_guid) are explicitly zeroed with memset() calls, indicating awareness of the risk; vf_broadcast was simply missed when added. Affected CPE: cpe:2.3:o:linux:linux_kernel from version 5.3 through the patched stable releases.

RemediationAI

Update the Linux kernel to a patched version: 6.6.140 or later for the 6.6.x LTS branch, 6.12.88 or later for the 6.12.x LTS branch, 6.18.30 or later for the 6.18.x stable branch, or 7.0.7 or later for the 7.0.x stable branch; the 7.1-rc3 mainline also includes the fix. Fix commits are available at https://git.kernel.org/stable/c/0653c0516234c8258975d268a749115fc0f0ff00, https://git.kernel.org/stable/c/38bcc21f52246badb3154b6158dcb381d98de011, https://git.kernel.org/stable/c/fbe0e6197225e6a83cf113a67a4b425f8de0bcd5, https://git.kernel.org/stable/c/c5b1b92ab7eff1a6e8c507ddde6fd02fabd0cfa8, and https://git.kernel.org/stable/c/4b9e327991815e128ad3af75c3a04630a63ce3e0. For systems where a kernel update is not immediately possible, a compensating control is to restrict AF_NETLINK socket access using seccomp filters or LSM (SELinux/AppArmor) policies that deny NETLINK_ROUTE socket creation for unprivileged processes - note this may break network diagnostic tools (ip, ss, iproute2) for non-root users. Alternatively, ensuring no SR-IOV VFs are actively configured (removing VF count from PCI sysfs) prevents the vulnerable code path from executing, at the cost of SR-IOV functionality.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected

Share

EUVD-2026-32891 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy