PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46132 Linux CVE debrief

CVE-2026-46132 is an information disclosure vulnerability in the Linux kernel's rtnetlink subsystem. The flaw exists in `rtnl_fill_vfinfo()` where a stack-allocated `struct ifla_vf_broadcast` is not initialized before a partial `memcpy()` copies only 6 bytes of device broadcast address data, leaving 26 bytes of uninitialized kernel stack memory that is subsequently leaked to userspace via `nla_put()`. The vulnerability is reachable by any unprivileged local process through AF_NETLINK/NETLINK_ROUTE sockets with RTM_GETLINK requests carrying IFLA_EXT_MASK with RTEXT_FILTER_VF. Each request leaks up to 26 bytes of kernel stack per virtual function (VF), with potential exposure of return addresses and transient sensitive data. The fix zeroes the struct before the partial copy, matching the existing pattern used for other vf_* structures in the same function.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-28
Advisory published
2026-05-28
Advisory updated
2026-05-28

Who should care

Linux system administrators, cloud providers using SR-IOV for network virtualization, kernel security teams, and organizations running multi-tenant Linux environments where unprivileged local access is possible

Technical summary

The vulnerability stems from inconsistent initialization patterns in `rtnl_fill_vfinfo()` within `net/core/rtnetlink.c`. While other VF-related structures (ivi, vf_vlan_info, node_guid, port_guid) are explicitly zeroed with `memset()`, the `vf_broadcast` structure added later was omitted. On Ethernet devices with `dev->addr_len` of 6, only 6 of 32 bytes are written, exposing 26 bytes of uninitialized stack per VF to any local user capable of netlink operations. The information leak is repeatable and scalable with VF count.

Defensive priority

medium

Recommended defensive actions

  • Apply kernel updates from distribution vendors once patches are available
  • Monitor for kernel package updates addressing this CVE
  • Consider restricting unprivileged user namespaces if not required for workload
  • Review systems with SR-IOV enabled NICs as primary exposure surface
  • Enable kernel stack instrumentation (KASAN/KMSAN) in test environments to detect similar issues

Evidence notes

Vulnerability description confirms unprivileged local reachability via standard netlink sockets. Multiple stable kernel commits provided indicate backports to affected versions. No CVSS score assigned by NVD at time of disclosure.

Official resources

2026-05-28