SB20260529173 - Use of Uninitialized Variable in Linux kernel core
Published: May 29, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Use of Uninitialized Variable (CVE-ID: CVE-2026-46132)
CWE-ID: CWE-457 - Use of Uninitialized Variable
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to disclose sensitive information.
The vulnerability exists due to uninitialized stack memory in rtnl_fill_vfinfo when handling RTM_GETLINK requests with an IFLA_EXT_MASK attribute carrying RTEXT_FILTER_VF. A local attacker can send a crafted netlink request to disclose sensitive information.
The issue can leak up to 26 bytes of uninitialized kernel stack per virtual function per request to userspace.
Remediation
Install update from vendor's website.
References
- https://git.kernel.org/stable/c/0653c0516234c8258975d268a749115fc0f0ff00
- https://git.kernel.org/stable/c/38bcc21f52246badb3154b6158dcb381d98de011
- https://git.kernel.org/stable/c/4b9e327991815e128ad3af75c3a04630a63ce3e0
- https://git.kernel.org/stable/c/c5b1b92ab7eff1a6e8c507ddde6fd02fabd0cfa8
- https://git.kernel.org/stable/c/fbe0e6197225e6a83cf113a67a4b425f8de0bcd5