SB20260529173 - Use of Uninitialized Variable in Linux kernel core



SB20260529173 - Use of Uninitialized Variable in Linux kernel core

Published: May 29, 2026

Security Bulletin ID SB20260529173
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Local access
Highest impact Information disclosure

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) Use of Uninitialized Variable (CVE-ID: CVE-2026-46132)

CWE-ID: CWE-457 - Use of Uninitialized Variable

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local attacker to disclose sensitive information.

The vulnerability exists due to uninitialized stack memory in rtnl_fill_vfinfo when handling RTM_GETLINK requests with an IFLA_EXT_MASK attribute carrying RTEXT_FILTER_VF. A local attacker can send a crafted netlink request to disclose sensitive information.

The issue can leak up to 26 bytes of uninitialized kernel stack per virtual function per request to userspace.


Remediation

Install update from vendor's website.