CVE-2026-46132
Received Received - Intake
Memory Leak in Linux Kernel RTNL Fill VF Info

Publication date: 2026-05-28

Last updated on: 2026-06-01

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo rtnl_fill_vfinfo() declares struct ifla_vf_broadcast on the stack without initialisation: struct ifla_vf_broadcast vf_broadcast; The struct contains a single fixed 32-byte field: /* include/uapi/linux/if_link.h */ struct ifla_vf_broadcast { __u8 broadcast[32]; }; The function then copies dev->broadcast into it using dev->addr_len as the length: memcpy(vf_broadcast.broadcast, dev->broadcast, dev->addr_len); On Ethernet devices (the overwhelming majority of SR-IOV NICs) dev->addr_len is 6, so only the first 6 bytes of broadcast[] are written. The remaining 26 bytes retain whatever was previously on the kernel stack. The full struct is then handed to userspace via: nla_put(skb, IFLA_VF_BROADCAST, sizeof(vf_broadcast), &vf_broadcast) leaking up to 26 bytes of uninitialised kernel stack per VF per RTM_GETLINK request, repeatable. The other vf_* structs in the same function are explicitly zeroed for exactly this reason - see the memset() calls for ivi, vf_vlan_info, node_guid and port_guid a few lines above. vf_broadcast was simply missed when it was added. Reachability: any unprivileged local process can open AF_NETLINK / NETLINK_ROUTE without capabilities and send RTM_GETLINK with an IFLA_EXT_MASK attribute carrying RTEXT_FILTER_VF. The kernel walks each VF and emits IFLA_VF_BROADCAST, leaking 26 bytes of stack per VF per request. Stack residue at this call site can include return addresses and transient sensitive data; KASAN with stack instrumentation, or KMSAN, will flag the nla_put() when reproduced. Zero the on-stack struct before the partial memcpy, matching the existing pattern used for the other vf_* structs in the same function.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-06-01
Generated
2026-06-17
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-16
NVD
CVE-2026-46132
EUVD
EUVD-2026-32891
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's rtnetlink component, specifically in the function rtnl_fill_vfinfo. The function declares a struct ifla_vf_broadcast on the stack without initializing it fully. This struct has a 32-byte field, but only the first 6 bytes are overwritten with device broadcast data, leaving the remaining 26 bytes uninitialized and containing leftover kernel stack data.

When this struct is sent to userspace via a netlink message, it leaks up to 26 bytes of uninitialized kernel stack memory per virtual function (VF) per RTM_GETLINK request. This leaked data can include sensitive information such as return addresses and transient kernel data.

The vulnerability can be triggered by any unprivileged local process that can open AF_NETLINK/NETLINK_ROUTE sockets and send RTM_GETLINK requests with specific attributes, causing the kernel to expose this uninitialized stack data.

Impact Analysis

This vulnerability can lead to information leakage from the kernel stack to unprivileged userspace processes. The leaked data may include sensitive kernel memory contents such as return addresses and other transient data.

An attacker could exploit this to gain insights into kernel memory layout, which might aid in further attacks such as privilege escalation or bypassing security mechanisms.

Since the vulnerability is reachable by any unprivileged local process, it increases the risk of local information disclosure without requiring elevated privileges.

Detection Guidance

This vulnerability can be detected by observing if unprivileged local processes are able to send RTM_GETLINK requests with an IFLA_EXT_MASK attribute carrying RTEXT_FILTER_VF and receive kernel stack data leakage in the IFLA_VF_BROADCAST field.

A practical detection method involves using a local user process to send a NETLINK_ROUTE RTM_GETLINK request with the appropriate filter and inspecting the response for leaked uninitialized kernel stack bytes.

While specific commands are not provided in the context, the vulnerability description implies that using tools or scripts that can send RTM_GETLINK requests via netlink sockets and parse the IFLA_VF_BROADCAST data could reveal the presence of the leak.

Mitigation Strategies

The immediate mitigation step is to apply the patch that zeroes the on-stack struct ifla_vf_broadcast before the partial memcpy operation in the rtnl_fill_vfinfo() function.

This patch matches the existing pattern used for other vf_* structs in the same function, preventing leakage of uninitialized kernel stack data.

Until the patch is applied, restricting unprivileged local users from sending RTM_GETLINK requests with IFLA_EXT_MASK carrying RTEXT_FILTER_VF can reduce the risk of exploitation.

Compliance Impact

This vulnerability causes leakage of uninitialized kernel stack data, which can include return addresses and transient sensitive data, to unprivileged local processes. Such unintended exposure of sensitive information could potentially impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive data against unauthorized access or disclosure.

However, the provided information does not explicitly discuss compliance implications or specific regulatory impacts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46132. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart