{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-46132","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-05-13T15:03:33.099Z","datePublished":"2026-05-28T09:35:47.047Z","dateUpdated":"2026-06-14T17:56:50.522Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-06-14T17:56:50.522Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo\n\nrtnl_fill_vfinfo() declares struct ifla_vf_broadcast on the stack\nwithout initialisation:\n\n\tstruct ifla_vf_broadcast vf_broadcast;\n\nThe struct contains a single fixed 32-byte field:\n\n\t/* include/uapi/linux/if_link.h */\n\tstruct ifla_vf_broadcast {\n\t\t__u8 broadcast[32];\n\t};\n\nThe function then copies dev->broadcast into it using dev->addr_len\nas the length:\n\n\tmemcpy(vf_broadcast.broadcast, dev->broadcast, dev->addr_len);\n\nOn Ethernet devices (the overwhelming majority of SR-IOV NICs)\ndev->addr_len is 6, so only the first 6 bytes of broadcast[] are\nwritten. The remaining 26 bytes retain whatever was previously on\nthe kernel stack. The full struct is then handed to userspace via:\n\n\tnla_put(skb, IFLA_VF_BROADCAST,\n\t\tsizeof(vf_broadcast), &vf_broadcast)\n\nleaking up to 26 bytes of uninitialised kernel stack per VF per\nRTM_GETLINK request, repeatable.\n\nThe other vf_* structs in the same function are explicitly zeroed\nfor exactly this reason - see the memset() calls for ivi,\nvf_vlan_info, node_guid and port_guid a few lines above.\nvf_broadcast was simply missed when it was added.\n\nReachability: any unprivileged local process can open AF_NETLINK /\nNETLINK_ROUTE without capabilities and send RTM_GETLINK with an\nIFLA_EXT_MASK attribute carrying RTEXT_FILTER_VF. The kernel walks\neach VF and emits IFLA_VF_BROADCAST, leaking 26 bytes of stack per\nVF per request. Stack residue at this call site can include return\naddresses and transient sensitive data; KASAN with stack\ninstrumentation, or KMSAN, will flag the nla_put() when reproduced.\n\nZero the on-stack struct before the partial memcpy, matching the\nexisting pattern used for the other vf_* structs in the same\nfunction."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/core/rtnetlink.c"],"versions":[{"version":"75345f888f700c4ab2448287e35d48c760b202e6","lessThan":"14271b401ec6a4bf0d88054106fc2956084717e1","status":"affected","versionType":"git"},{"version":"75345f888f700c4ab2448287e35d48c760b202e6","lessThan":"cccce3190ba4356432b9f22369b56123d3d89f0d","status":"affected","versionType":"git"},{"version":"75345f888f700c4ab2448287e35d48c760b202e6","lessThan":"a44fbb631cba646532f3948636626f81717365a7","status":"affected","versionType":"git"},{"version":"75345f888f700c4ab2448287e35d48c760b202e6","lessThan":"0653c0516234c8258975d268a749115fc0f0ff00","status":"affected","versionType":"git"},{"version":"75345f888f700c4ab2448287e35d48c760b202e6","lessThan":"c5b1b92ab7eff1a6e8c507ddde6fd02fabd0cfa8","status":"affected","versionType":"git"},{"version":"75345f888f700c4ab2448287e35d48c760b202e6","lessThan":"fbe0e6197225e6a83cf113a67a4b425f8de0bcd5","status":"affected","versionType":"git"},{"version":"75345f888f700c4ab2448287e35d48c760b202e6","lessThan":"38bcc21f52246badb3154b6158dcb381d98de011","status":"affected","versionType":"git"},{"version":"75345f888f700c4ab2448287e35d48c760b202e6","lessThan":"4b9e327991815e128ad3af75c3a04630a63ce3e0","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/core/rtnetlink.c"],"versions":[{"version":"5.3","status":"affected"},{"version":"0","lessThan":"5.3","status":"unaffected","versionType":"semver"},{"version":"5.10.258","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.209","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.175","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.140","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.88","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.30","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"7.0.7","lessThanOrEqual":"7.0.*","status":"unaffected","versionType":"semver"},{"version":"7.1","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.3","versionEndExcluding":"5.10.258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.3","versionEndExcluding":"5.15.209"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.3","versionEndExcluding":"6.1.175"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.3","versionEndExcluding":"6.6.140"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.3","versionEndExcluding":"6.12.88"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.3","versionEndExcluding":"6.18.30"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.3","versionEndExcluding":"7.0.7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.3","versionEndExcluding":"7.1"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/14271b401ec6a4bf0d88054106fc2956084717e1"},{"url":"https://git.kernel.org/stable/c/cccce3190ba4356432b9f22369b56123d3d89f0d"},{"url":"https://git.kernel.org/stable/c/a44fbb631cba646532f3948636626f81717365a7"},{"url":"https://git.kernel.org/stable/c/0653c0516234c8258975d268a749115fc0f0ff00"},{"url":"https://git.kernel.org/stable/c/c5b1b92ab7eff1a6e8c507ddde6fd02fabd0cfa8"},{"url":"https://git.kernel.org/stable/c/fbe0e6197225e6a83cf113a67a4b425f8de0bcd5"},{"url":"https://git.kernel.org/stable/c/38bcc21f52246badb3154b6158dcb381d98de011"},{"url":"https://git.kernel.org/stable/c/4b9e327991815e128ad3af75c3a04630a63ce3e0"}],"title":"net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo","x_generator":{"engine":"bippy-1.2.0"}}}}