net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo
Summary
| CVE | CVE-2026-46132 |
|---|---|
| State | PUBLISHED |
| Assigner | Linux |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-05-28 10:16:28 UTC |
| Updated | 2026-06-01 17:17:27 UTC |
| Description | In the Linux kernel, the following vulnerability has been resolved: net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo rtnl_fill_vfinfo() declares struct ifla_vf_broadcast on the stack without initialisation: struct ifla_vf_broadcast vf_broadcast; The struct contains a single fixed 32-byte field: /* include/uapi/linux/if_link.h */ struct ifla_vf_broadcast { __u8 broadcast[32]; }; The function then copies dev->broadcast into it using dev->addr_len as the length: memcpy(vf_broadcast.broadcast, dev->broadcast, dev->addr_len); On Ethernet devices (the overwhelming majority of SR-IOV NICs) dev->addr_len is 6, so only the first 6 bytes of broadcast[] are written. The remaining 26 bytes retain whatever was previously on the kernel stack. The full struct is then handed to userspace via: nla_put(skb, IFLA_VF_BROADCAST, sizeof(vf_broadcast), &vf_broadcast) leaking up to 26 bytes of uninitialised kernel stack per VF per RTM_GETLINK request, repeatable. The other vf_* structs in the same function are explicitly zeroed for exactly this reason - see the memset() calls for ivi, vf_vlan_info, node_guid and port_guid a few lines above. vf_broadcast was simply missed when it was added. Reachability: any unprivileged local process can open AF_NETLINK / NETLINK_ROUTE without capabilities and send RTM_GETLINK with an IFLA_EXT_MASK attribute carrying RTEXT_FILTER_VF. The kernel walks each VF and emits IFLA_VF_BROADCAST, leaking 26 bytes of stack per VF per request. Stack residue at this call site can include return addresses and transient sensitive data; KASAN with stack instrumentation, or KMSAN, will flag the nla_put() when reproduced. Zero the on-stack struct before the partial memcpy, matching the existing pattern used for the other vf_* structs in the same function. |
Risk And Classification
EPSS: 0.000320000 probability, percentile 0.097210000 (date 2026-06-03)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Linux | Linux | affected 75345f888f700c4ab2448287e35d48c760b202e6 14271b401ec6a4bf0d88054106fc2956084717e1 git | Not specified |
| CNA | Linux | Linux | affected 75345f888f700c4ab2448287e35d48c760b202e6 cccce3190ba4356432b9f22369b56123d3d89f0d git | Not specified |
| CNA | Linux | Linux | affected 75345f888f700c4ab2448287e35d48c760b202e6 a44fbb631cba646532f3948636626f81717365a7 git | Not specified |
| CNA | Linux | Linux | affected 75345f888f700c4ab2448287e35d48c760b202e6 0653c0516234c8258975d268a749115fc0f0ff00 git | Not specified |
| CNA | Linux | Linux | affected 75345f888f700c4ab2448287e35d48c760b202e6 c5b1b92ab7eff1a6e8c507ddde6fd02fabd0cfa8 git | Not specified |
| CNA | Linux | Linux | affected 75345f888f700c4ab2448287e35d48c760b202e6 fbe0e6197225e6a83cf113a67a4b425f8de0bcd5 git | Not specified |
| CNA | Linux | Linux | affected 75345f888f700c4ab2448287e35d48c760b202e6 38bcc21f52246badb3154b6158dcb381d98de011 git | Not specified |
| CNA | Linux | Linux | affected 75345f888f700c4ab2448287e35d48c760b202e6 4b9e327991815e128ad3af75c3a04630a63ce3e0 git | Not specified |
| CNA | Linux | Linux | affected 5.3 | Not specified |
| CNA | Linux | Linux | unaffected 5.3 semver | Not specified |
| CNA | Linux | Linux | unaffected 5.10.258 5.10.* semver | Not specified |
| CNA | Linux | Linux | unaffected 5.15.209 5.15.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.1.175 6.1.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.6.140 6.6.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.12.88 6.12.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.18.30 6.18.* semver | Not specified |
| CNA | Linux | Linux | unaffected 7.0.7 7.0.* semver | Not specified |
| CNA | Linux | Linux | unaffected 7.1-rc3 * original_commit_for_fix | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| git.kernel.org/stable/c/a44fbb631cba646532f3948636626f81717365a7 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/0653c0516234c8258975d268a749115fc0f0ff00 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/fbe0e6197225e6a83cf113a67a4b425f8de0bcd5 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/14271b401ec6a4bf0d88054106fc2956084717e1 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/c5b1b92ab7eff1a6e8c507ddde6fd02fabd0cfa8 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/cccce3190ba4356432b9f22369b56123d3d89f0d | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/4b9e327991815e128ad3af75c3a04630a63ce3e0 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/38bcc21f52246badb3154b6158dcb381d98de011 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.