{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-23384","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-01-13T15:37:46.008Z","datePublished":"2026-03-25T10:28:02.818Z","dateUpdated":"2026-05-11T22:05:50.100Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T22:05:50.100Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/ionic: Fix kernel stack leak in ionic_create_cq()\n\nstruct ionic_cq_resp resp {\n    __u32 cqid[2];         // offset 0 - PARTIALLY SET (see below)\n    __u8  udma_mask;       // offset 8 - SET (resp.udma_mask = vcq->udma_mask)\n    __u8  rsvd[7];         // offset 9 - NEVER SET <- LEAK\n};\n\nrsvd[7]: 7 bytes of stack memory leaked unconditionally.\n\ncqid[2]: The loop at line 1256 iterates over udma_idx but skips indices\nwhere !(vcq->udma_mask & BIT(udma_idx)). The array has 2 entries but\nudma_count could be 1, meaning cqid[1] might never be written via\nionic_create_cq_common(). If udma_mask only has bit 0 set, cqid[1] (4\nbytes) is also leaked. So potentially 11 bytes leaked."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/infiniband/hw/ionic/ionic_controlpath.c"],"versions":[{"version":"e8521822c733c6deab0f339843cd37cd62c12795","lessThan":"a6f3e0fa8e862f220c26c2f27e5ddc42eb82ad3e","status":"affected","versionType":"git"},{"version":"e8521822c733c6deab0f339843cd37cd62c12795","lessThan":"547d0b07ad73915b323bc21f85c5d3252bebbbcf","status":"affected","versionType":"git"},{"version":"e8521822c733c6deab0f339843cd37cd62c12795","lessThan":"faa72102b178c7ae6c6afea23879e7c84fc59b4e","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/infiniband/hw/ionic/ionic_controlpath.c"],"versions":[{"version":"6.18","status":"affected"},{"version":"0","lessThan":"6.18","status":"unaffected","versionType":"semver"},{"version":"6.18.17","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19.7","lessThanOrEqual":"6.19.*","status":"unaffected","versionType":"semver"},{"version":"7.0","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.18","versionEndExcluding":"6.18.17"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.18","versionEndExcluding":"6.19.7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.18","versionEndExcluding":"7.0"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/a6f3e0fa8e862f220c26c2f27e5ddc42eb82ad3e"},{"url":"https://git.kernel.org/stable/c/547d0b07ad73915b323bc21f85c5d3252bebbbcf"},{"url":"https://git.kernel.org/stable/c/faa72102b178c7ae6c6afea23879e7c84fc59b4e"}],"title":"RDMA/ionic: Fix kernel stack leak in ionic_create_cq()","x_generator":{"engine":"bippy-1.2.0"}}}}