{"api_version":"1","generated_at":"2026-06-04T03:47:43+00:00","cve":"CVE-2026-46132","urls":{"html":"https://cve.report/CVE-2026-46132","api":"https://cve.report/api/cve/CVE-2026-46132.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-46132","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-46132"},"summary":{"title":"net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo\n\nrtnl_fill_vfinfo() declares struct ifla_vf_broadcast on the stack\nwithout initialisation:\n\n\tstruct ifla_vf_broadcast vf_broadcast;\n\nThe struct contains a single fixed 32-byte field:\n\n\t/* include/uapi/linux/if_link.h */\n\tstruct ifla_vf_broadcast {\n\t\t__u8 broadcast[32];\n\t};\n\nThe function then copies dev->broadcast into it using dev->addr_len\nas the length:\n\n\tmemcpy(vf_broadcast.broadcast, dev->broadcast, dev->addr_len);\n\nOn Ethernet devices (the overwhelming majority of SR-IOV NICs)\ndev->addr_len is 6, so only the first 6 bytes of broadcast[] are\nwritten. The remaining 26 bytes retain whatever was previously on\nthe kernel stack. The full struct is then handed to userspace via:\n\n\tnla_put(skb, IFLA_VF_BROADCAST,\n\t\tsizeof(vf_broadcast), &vf_broadcast)\n\nleaking up to 26 bytes of uninitialised kernel stack per VF per\nRTM_GETLINK request, repeatable.\n\nThe other vf_* structs in the same function are explicitly zeroed\nfor exactly this reason - see the memset() calls for ivi,\nvf_vlan_info, node_guid and port_guid a few lines above.\nvf_broadcast was simply missed when it was added.\n\nReachability: any unprivileged local process can open AF_NETLINK /\nNETLINK_ROUTE without capabilities and send RTM_GETLINK with an\nIFLA_EXT_MASK attribute carrying RTEXT_FILTER_VF. The kernel walks\neach VF and emits IFLA_VF_BROADCAST, leaking 26 bytes of stack per\nVF per request. Stack residue at this call site can include return\naddresses and transient sensitive data; KASAN with stack\ninstrumentation, or KMSAN, will flag the nla_put() when reproduced.\n\nZero the on-stack struct before the partial memcpy, matching the\nexisting pattern used for the other vf_* structs in the same\nfunction.","state":"PUBLISHED","assigner":"Linux","published_at":"2026-05-28 10:16:28","updated_at":"2026-06-01 17:17:27"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/a44fbb631cba646532f3948636626f81717365a7","name":"https://git.kernel.org/stable/c/a44fbb631cba646532f3948636626f81717365a7","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/0653c0516234c8258975d268a749115fc0f0ff00","name":"https://git.kernel.org/stable/c/0653c0516234c8258975d268a749115fc0f0ff00","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/fbe0e6197225e6a83cf113a67a4b425f8de0bcd5","name":"https://git.kernel.org/stable/c/fbe0e6197225e6a83cf113a67a4b425f8de0bcd5","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/14271b401ec6a4bf0d88054106fc2956084717e1","name":"https://git.kernel.org/stable/c/14271b401ec6a4bf0d88054106fc2956084717e1","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/c5b1b92ab7eff1a6e8c507ddde6fd02fabd0cfa8","name":"https://git.kernel.org/stable/c/c5b1b92ab7eff1a6e8c507ddde6fd02fabd0cfa8","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/cccce3190ba4356432b9f22369b56123d3d89f0d","name":"https://git.kernel.org/stable/c/cccce3190ba4356432b9f22369b56123d3d89f0d","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/4b9e327991815e128ad3af75c3a04630a63ce3e0","name":"https://git.kernel.org/stable/c/4b9e327991815e128ad3af75c3a04630a63ce3e0","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/38bcc21f52246badb3154b6158dcb381d98de011","name":"https://git.kernel.org/stable/c/38bcc21f52246badb3154b6158dcb381d98de011","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-46132","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46132","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 75345f888f700c4ab2448287e35d48c760b202e6 14271b401ec6a4bf0d88054106fc2956084717e1 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 75345f888f700c4ab2448287e35d48c760b202e6 cccce3190ba4356432b9f22369b56123d3d89f0d git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 75345f888f700c4ab2448287e35d48c760b202e6 a44fbb631cba646532f3948636626f81717365a7 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 75345f888f700c4ab2448287e35d48c760b202e6 0653c0516234c8258975d268a749115fc0f0ff00 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 75345f888f700c4ab2448287e35d48c760b202e6 c5b1b92ab7eff1a6e8c507ddde6fd02fabd0cfa8 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 75345f888f700c4ab2448287e35d48c760b202e6 fbe0e6197225e6a83cf113a67a4b425f8de0bcd5 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 75345f888f700c4ab2448287e35d48c760b202e6 38bcc21f52246badb3154b6158dcb381d98de011 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 75345f888f700c4ab2448287e35d48c760b202e6 4b9e327991815e128ad3af75c3a04630a63ce3e0 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 5.3","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.3 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.10.258 5.10.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.15.209 5.15.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.1.175 6.1.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.140 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.88 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.30 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0.7 7.0.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.1-rc3 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"46132","cve":"CVE-2026-46132","epss":"0.000320000","percentile":"0.097210000","score_date":"2026-06-03","updated_at":"2026-06-04 00:06:35"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["net/core/rtnetlink.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"14271b401ec6a4bf0d88054106fc2956084717e1","status":"affected","version":"75345f888f700c4ab2448287e35d48c760b202e6","versionType":"git"},{"lessThan":"cccce3190ba4356432b9f22369b56123d3d89f0d","status":"affected","version":"75345f888f700c4ab2448287e35d48c760b202e6","versionType":"git"},{"lessThan":"a44fbb631cba646532f3948636626f81717365a7","status":"affected","version":"75345f888f700c4ab2448287e35d48c760b202e6","versionType":"git"},{"lessThan":"0653c0516234c8258975d268a749115fc0f0ff00","status":"affected","version":"75345f888f700c4ab2448287e35d48c760b202e6","versionType":"git"},{"lessThan":"c5b1b92ab7eff1a6e8c507ddde6fd02fabd0cfa8","status":"affected","version":"75345f888f700c4ab2448287e35d48c760b202e6","versionType":"git"},{"lessThan":"fbe0e6197225e6a83cf113a67a4b425f8de0bcd5","status":"affected","version":"75345f888f700c4ab2448287e35d48c760b202e6","versionType":"git"},{"lessThan":"38bcc21f52246badb3154b6158dcb381d98de011","status":"affected","version":"75345f888f700c4ab2448287e35d48c760b202e6","versionType":"git"},{"lessThan":"4b9e327991815e128ad3af75c3a04630a63ce3e0","status":"affected","version":"75345f888f700c4ab2448287e35d48c760b202e6","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["net/core/rtnetlink.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"5.3"},{"lessThan":"5.3","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"5.10.*","status":"unaffected","version":"5.10.258","versionType":"semver"},{"lessThanOrEqual":"5.15.*","status":"unaffected","version":"5.15.209","versionType":"semver"},{"lessThanOrEqual":"6.1.*","status":"unaffected","version":"6.1.175","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.140","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.88","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.30","versionType":"semver"},{"lessThanOrEqual":"7.0.*","status":"unaffected","version":"7.0.7","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.1-rc3","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.10.258","versionStartIncluding":"5.3","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.15.209","versionStartIncluding":"5.3","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.175","versionStartIncluding":"5.3","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.140","versionStartIncluding":"5.3","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.88","versionStartIncluding":"5.3","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.30","versionStartIncluding":"5.3","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0.7","versionStartIncluding":"5.3","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.1-rc3","versionStartIncluding":"5.3","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo\n\nrtnl_fill_vfinfo() declares struct ifla_vf_broadcast on the stack\nwithout initialisation:\n\n\tstruct ifla_vf_broadcast vf_broadcast;\n\nThe struct contains a single fixed 32-byte field:\n\n\t/* include/uapi/linux/if_link.h */\n\tstruct ifla_vf_broadcast {\n\t\t__u8 broadcast[32];\n\t};\n\nThe function then copies dev->broadcast into it using dev->addr_len\nas the length:\n\n\tmemcpy(vf_broadcast.broadcast, dev->broadcast, dev->addr_len);\n\nOn Ethernet devices (the overwhelming majority of SR-IOV NICs)\ndev->addr_len is 6, so only the first 6 bytes of broadcast[] are\nwritten. The remaining 26 bytes retain whatever was previously on\nthe kernel stack. The full struct is then handed to userspace via:\n\n\tnla_put(skb, IFLA_VF_BROADCAST,\n\t\tsizeof(vf_broadcast), &vf_broadcast)\n\nleaking up to 26 bytes of uninitialised kernel stack per VF per\nRTM_GETLINK request, repeatable.\n\nThe other vf_* structs in the same function are explicitly zeroed\nfor exactly this reason - see the memset() calls for ivi,\nvf_vlan_info, node_guid and port_guid a few lines above.\nvf_broadcast was simply missed when it was added.\n\nReachability: any unprivileged local process can open AF_NETLINK /\nNETLINK_ROUTE without capabilities and send RTM_GETLINK with an\nIFLA_EXT_MASK attribute carrying RTEXT_FILTER_VF. The kernel walks\neach VF and emits IFLA_VF_BROADCAST, leaking 26 bytes of stack per\nVF per request. Stack residue at this call site can include return\naddresses and transient sensitive data; KASAN with stack\ninstrumentation, or KMSAN, will flag the nla_put() when reproduced.\n\nZero the on-stack struct before the partial memcpy, matching the\nexisting pattern used for the other vf_* structs in the same\nfunction."}],"providerMetadata":{"dateUpdated":"2026-06-01T16:18:55.372Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/14271b401ec6a4bf0d88054106fc2956084717e1"},{"url":"https://git.kernel.org/stable/c/cccce3190ba4356432b9f22369b56123d3d89f0d"},{"url":"https://git.kernel.org/stable/c/a44fbb631cba646532f3948636626f81717365a7"},{"url":"https://git.kernel.org/stable/c/0653c0516234c8258975d268a749115fc0f0ff00"},{"url":"https://git.kernel.org/stable/c/c5b1b92ab7eff1a6e8c507ddde6fd02fabd0cfa8"},{"url":"https://git.kernel.org/stable/c/fbe0e6197225e6a83cf113a67a4b425f8de0bcd5"},{"url":"https://git.kernel.org/stable/c/38bcc21f52246badb3154b6158dcb381d98de011"},{"url":"https://git.kernel.org/stable/c/4b9e327991815e128ad3af75c3a04630a63ce3e0"}],"title":"net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-46132","datePublished":"2026-05-28T09:35:47.047Z","dateReserved":"2026-05-13T15:03:33.099Z","dateUpdated":"2026-06-01T16:18:55.372Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-28 10:16:28","lastModifiedDate":"2026-06-01 17:17:27","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"46132","Ordinal":"1","Title":"net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak i","CVE":"CVE-2026-46132","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"46132","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo\n\nrtnl_fill_vfinfo() declares struct ifla_vf_broadcast on the stack\nwithout initialisation:\n\n\tstruct ifla_vf_broadcast vf_broadcast;\n\nThe struct contains a single fixed 32-byte field:\n\n\t/* include/uapi/linux/if_link.h */\n\tstruct ifla_vf_broadcast {\n\t\t__u8 broadcast[32];\n\t};\n\nThe function then copies dev->broadcast into it using dev->addr_len\nas the length:\n\n\tmemcpy(vf_broadcast.broadcast, dev->broadcast, dev->addr_len);\n\nOn Ethernet devices (the overwhelming majority of SR-IOV NICs)\ndev->addr_len is 6, so only the first 6 bytes of broadcast[] are\nwritten. The remaining 26 bytes retain whatever was previously on\nthe kernel stack. The full struct is then handed to userspace via:\n\n\tnla_put(skb, IFLA_VF_BROADCAST,\n\t\tsizeof(vf_broadcast), &vf_broadcast)\n\nleaking up to 26 bytes of uninitialised kernel stack per VF per\nRTM_GETLINK request, repeatable.\n\nThe other vf_* structs in the same function are explicitly zeroed\nfor exactly this reason - see the memset() calls for ivi,\nvf_vlan_info, node_guid and port_guid a few lines above.\nvf_broadcast was simply missed when it was added.\n\nReachability: any unprivileged local process can open AF_NETLINK /\nNETLINK_ROUTE without capabilities and send RTM_GETLINK with an\nIFLA_EXT_MASK attribute carrying RTEXT_FILTER_VF. The kernel walks\neach VF and emits IFLA_VF_BROADCAST, leaking 26 bytes of stack per\nVF per request. Stack residue at this call site can include return\naddresses and transient sensitive data; KASAN with stack\ninstrumentation, or KMSAN, will flag the nla_put() when reproduced.\n\nZero the on-stack struct before the partial memcpy, matching the\nexisting pattern used for the other vf_* structs in the same\nfunction.","Type":"Description","Title":"net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak i"}]}}}