5.5

CVE-2026-23007

EPSS 0.02%
Veröffentlicht 25.01.2026 14:36:20
Zuletzt bearbeitet 25.03.2026 19:21:49
Quelle 416baaa9-dc9f-4396-8d5f-8c081f
CVE-Watchlists
Login
Unerledigt
Login

block: zero non-PI portion of auto integrity buffer

In the Linux kernel, the following vulnerability has been resolved:

block: zero non-PI portion of auto integrity buffer

The auto-generated integrity buffer for writes needs to be fully
initialized before being passed to the underlying block device,
otherwise the uninitialized memory can be read back by userspace or
anyone with physical access to the storage device. If protection
information is generated, that portion of the integrity buffer is
already initialized. The integrity data is also zeroed if PI generation
is disabled via sysfs or the PI tuple size is 0. However, this misses
the case where PI is generated and the PI tuple size is nonzero, but the
metadata size is larger than the PI tuple. In this case, the remainder
("opaque") of the metadata is left uninitialized.
Generalize the BLK_INTEGRITY_CSUM_NONE check to cover any case when the
metadata is larger than just the PI tuple.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

NVD 10 VulnDex Vulnerability Enrichment 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Linux ≫ Linux Kernel Version >= 6.11.1 < 6.18.7

Linux ≫ Linux Kernel Version6.11 Update-

Linux ≫ Linux Kernel Version6.19 Updaterc1

Linux ≫ Linux Kernel Version6.19 Updaterc2

Linux ≫ Linux Kernel Version6.19 Updaterc3

Linux ≫ Linux Kernel Version6.19 Updaterc4

Linux ≫ Linux Kernel Version6.19 Updaterc5

Linux ≫ Linux Kernel Version6.19 Updaterc6

Linux ≫ Linux Kernel Version6.19 Updaterc7

Linux ≫ Linux Kernel Version6.19 Updaterc8

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.051

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.5	1.8	3.6	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE-908 Use of Uninitialized Resource

The product uses or accesses a resource that has not been initialized.

https://git.kernel.org/stable/c/d6072557b90e0c557df319a56f4a9dc482706d2c

Patch

https://git.kernel.org/stable/c/ca22c566b89164f6e670af56ecc45f47ef3df819

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-23007

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-23007

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-23007

EUVD