Exposure of sensitive information to an unauthorized actor in Linux kernel - CVE-2026-23384

 

Exposure of sensitive information to an unauthorized actor in Linux kernel - CVE-2026-23384

Published: March 25, 2026


Vulnerability identifier: #VU124456
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-23384
CWE-ID: CWE-200
Exploitation vector: Local access
Exploit availability: No public exploit available
Vendor: Linux Foundation
Affected software:
Linux kernel

Detailed vulnerability description

The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to improper initialization of stack memory in the RDMA/ionic driver when handling control queue creation. A local user can trigger the creation of a control queue via the ionic_create_cq() interface, causing uninitialized stack memory to be returned to userspace, which may disclose up to 11 bytes of kernel stack data.

The disclosed data may include portions of kernel stack memory due to partial initialization of the response structure before being copied to userspace.


How to mitigate CVE-2026-23384

Install security update from vendor's repository.

Sources