CVE-2026-45865 Linux CVE debrief

Who should care

System administrators running Linux kernels with MCTP over I2C support, particularly those using Aspeed (i2c-aspeed) or Nuvoton NPCM7xx (i2c-npcm7xx) I2C controllers. Embedded systems and BMC (Baseboard Management Controller) deployments using MCTP for out-of-band management are most likely affected.

Technical summary

The mctp-i2c driver in the Linux kernel did not initialize the read buffer ('val') before performing I2C read operations. When reading from an MCTP-I2C device, the driver would return the uninitialized value from the I2C bus driver's stack variable. For i2c-aspeed and i2c-npcm7xx drivers, this exposed up to one byte of uninitialized kernel stack memory per read. The vulnerability is an information disclosure issue where sensitive kernel memory could potentially be leaked to unprivileged userspace through MCTP I2C device reads. The fix initializes the read bytes to 0xff, ensuring consistent and safe return values when no data is available.

Defensive priority

medium

Recommended defensive actions

• Apply the relevant stable kernel patch for your kernel version
• Update to a kernel version containing the fix (check stable kernel releases)
• For systems using MCTP over I2C with i2c-aspeed or i2c-npcm7xx drivers, prioritize patching
• Verify MCTP I2C device reads return 0xff for unavailable data rather than variable values

Evidence notes

The vulnerability description and fix are sourced from the official CVE record and NVD entry. Multiple stable kernel commits are referenced, indicating backports to various kernel versions. The fix was tested with i2ctransfer demonstrating the corrected behavior returns 0xff instead of uninitialized data.

Official resources