5.5
CVE-2026-46132
- EPSS 0.13%
- Veröffentlicht 28.05.2026 09:35:47
- Zuletzt bearbeitet 24.06.2026 17:51:37
- Quelle 416baaa9-dc9f-4396-8d5f-8c081f
- CVE-Watchlists
- Unerledigt
net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo
In the Linux kernel, the following vulnerability has been resolved:
net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo
rtnl_fill_vfinfo() declares struct ifla_vf_broadcast on the stack
without initialisation:
struct ifla_vf_broadcast vf_broadcast;
The struct contains a single fixed 32-byte field:
/* include/uapi/linux/if_link.h */
struct ifla_vf_broadcast {
__u8 broadcast[32];
};
The function then copies dev->broadcast into it using dev->addr_len
as the length:
memcpy(vf_broadcast.broadcast, dev->broadcast, dev->addr_len);
On Ethernet devices (the overwhelming majority of SR-IOV NICs)
dev->addr_len is 6, so only the first 6 bytes of broadcast[] are
written. The remaining 26 bytes retain whatever was previously on
the kernel stack. The full struct is then handed to userspace via:
nla_put(skb, IFLA_VF_BROADCAST,
sizeof(vf_broadcast), &vf_broadcast)
leaking up to 26 bytes of uninitialised kernel stack per VF per
RTM_GETLINK request, repeatable.
The other vf_* structs in the same function are explicitly zeroed
for exactly this reason - see the memset() calls for ivi,
vf_vlan_info, node_guid and port_guid a few lines above.
vf_broadcast was simply missed when it was added.
Reachability: any unprivileged local process can open AF_NETLINK /
NETLINK_ROUTE without capabilities and send RTM_GETLINK with an
IFLA_EXT_MASK attribute carrying RTEXT_FILTER_VF. The kernel walks
each VF and emits IFLA_VF_BROADCAST, leaking 26 bytes of stack per
VF per request. Stack residue at this call site can include return
addresses and transient sensitive data; KASAN with stack
instrumentation, or KMSAN, will flag the nla_put() when reproduced.
Zero the on-stack struct before the partial memcpy, matching the
existing pattern used for the other vf_* structs in the same
function.Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Linux ≫ Linux Kernel Version >= 5.3 < 5.10.258
Linux ≫ Linux Kernel Version >= 5.11 < 5.15.209
Linux ≫ Linux Kernel Version >= 5.16 < 6.1.175
Linux ≫ Linux Kernel Version >= 6.2 < 6.6.140
Linux ≫ Linux Kernel Version >= 6.7 < 6.12.88
Linux ≫ Linux Kernel Version >= 6.13 < 6.18.30
Linux ≫ Linux Kernel Version >= 6.19 < 7.0.7
Linux ≫ Linux Kernel Version7.1 Updaterc1
Linux ≫ Linux Kernel Version7.1 Updaterc2
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.13% | 0.028 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5.5 | 1.8 | 3.6 |
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
|
CWE-908 Use of Uninitialized Resource
The product uses or accesses a resource that has not been initialized.
https://git.kernel.org/stable/c/0653c0516234c8258975d268a749115fc0f0ff00
https://git.kernel.org/stable/c/c5b1b92ab7eff1a6e8c507ddde6fd02fabd0cfa8
https://git.kernel.org/stable/c/fbe0e6197225e6a83cf113a67a4b425f8de0bcd5
https://git.kernel.org/stable/c/38bcc21f52246badb3154b6158dcb381d98de011
https://git.kernel.org/stable/c/4b9e327991815e128ad3af75c3a04630a63ce3e0
https://git.kernel.org/stable/c/14271b401ec6a4bf0d88054106fc2956084717e1
https://git.kernel.org/stable/c/a44fbb631cba646532f3948636626f81717365a7
https://git.kernel.org/stable/c/cccce3190ba4356432b9f22369b56123d3d89f0d