CVE-2026-46182 Linux CVE debrief

Who should care

Organizations running IBM Power Systems (pseries) with Linux kernels that include the papr-hvpipe driver, particularly multi-tenant environments where kernel memory leaks could expose sensitive information across security boundaries.

Technical summary

The papr_hvpipe_hdr structure in the Linux kernel's pseries/papr-hvpipe driver was allocated on the stack with only partial explicit initialization. Reserved padding fields within the structure could contain uninitialized stack data that would be copied to userspace, resulting in information disclosure. The vulnerability is resolved by zero-initializing the entire structure using memset or equivalent initialization.

Defensive priority

medium

Recommended defensive actions

• Apply kernel updates from your Linux distribution that include the fix for CVE-2026-46182
• Verify running kernel version is patched if using IBM Power Systems (pseries) with papr-hvpipe
• Review systems for unauthorized access that may have exploited information disclosure vulnerabilities prior to patching
• Monitor for distribution-specific security advisories for kernel package updates

Evidence notes

The vulnerability description confirms the issue is in the pseries/papr-hvpipe driver within the Linux kernel. The fix involves initializing the entire `struct papr_hvpipe_hdr` to zero rather than only explicitly setting `hdr.version` and `hdr.flags`. Multiple stable kernel branch commits are referenced, indicating backports to supported releases.

Official resources