CVE-2026-46132
Gravedad CVSS v3.1:
MEDIA
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
28/05/2026
Última modificación:
24/06/2026
Descripción
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo<br />
<br />
rtnl_fill_vfinfo() declares struct ifla_vf_broadcast on the stack<br />
without initialisation:<br />
<br />
struct ifla_vf_broadcast vf_broadcast;<br />
<br />
The struct contains a single fixed 32-byte field:<br />
<br />
/* include/uapi/linux/if_link.h */<br />
struct ifla_vf_broadcast {<br />
__u8 broadcast[32];<br />
};<br />
<br />
The function then copies dev->broadcast into it using dev->addr_len<br />
as the length:<br />
<br />
memcpy(vf_broadcast.broadcast, dev->broadcast, dev->addr_len);<br />
<br />
On Ethernet devices (the overwhelming majority of SR-IOV NICs)<br />
dev->addr_len is 6, so only the first 6 bytes of broadcast[] are<br />
written. The remaining 26 bytes retain whatever was previously on<br />
the kernel stack. The full struct is then handed to userspace via:<br />
<br />
nla_put(skb, IFLA_VF_BROADCAST,<br />
sizeof(vf_broadcast), &vf_broadcast)<br />
<br />
leaking up to 26 bytes of uninitialised kernel stack per VF per<br />
RTM_GETLINK request, repeatable.<br />
<br />
The other vf_* structs in the same function are explicitly zeroed<br />
for exactly this reason - see the memset() calls for ivi,<br />
vf_vlan_info, node_guid and port_guid a few lines above.<br />
vf_broadcast was simply missed when it was added.<br />
<br />
Reachability: any unprivileged local process can open AF_NETLINK /<br />
NETLINK_ROUTE without capabilities and send RTM_GETLINK with an<br />
IFLA_EXT_MASK attribute carrying RTEXT_FILTER_VF. The kernel walks<br />
each VF and emits IFLA_VF_BROADCAST, leaking 26 bytes of stack per<br />
VF per request. Stack residue at this call site can include return<br />
addresses and transient sensitive data; KASAN with stack<br />
instrumentation, or KMSAN, will flag the nla_put() when reproduced.<br />
<br />
Zero the on-stack struct before the partial memcpy, matching the<br />
existing pattern used for the other vf_* structs in the same<br />
function.
Impacto
Puntuación base 3.x
5.50
Gravedad 3.x
MEDIA
Productos y versiones vulnerables
| CPE | Desde | Hasta |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.3 (incluyendo) | 5.10.258 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (incluyendo) | 5.15.209 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (incluyendo) | 6.1.175 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (incluyendo) | 6.6.140 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (incluyendo) | 6.12.88 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.13 (incluyendo) | 6.18.30 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.19 (incluyendo) | 7.0.7 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:* |
Para consultar la lista completa de nombres de CPE con productos y versiones, ver esta página
Referencias a soluciones, herramientas e información
- https://git.kernel.org/stable/c/0653c0516234c8258975d268a749115fc0f0ff00
- https://git.kernel.org/stable/c/14271b401ec6a4bf0d88054106fc2956084717e1
- https://git.kernel.org/stable/c/38bcc21f52246badb3154b6158dcb381d98de011
- https://git.kernel.org/stable/c/4b9e327991815e128ad3af75c3a04630a63ce3e0
- https://git.kernel.org/stable/c/a44fbb631cba646532f3948636626f81717365a7
- https://git.kernel.org/stable/c/c5b1b92ab7eff1a6e8c507ddde6fd02fabd0cfa8
- https://git.kernel.org/stable/c/cccce3190ba4356432b9f22369b56123d3d89f0d
- https://git.kernel.org/stable/c/fbe0e6197225e6a83cf113a67a4b425f8de0bcd5



