{"id":"CVE-2026-46132","summary":"net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo\n\nrtnl_fill_vfinfo() declares struct ifla_vf_broadcast on the stack\nwithout initialisation:\n\n\tstruct ifla_vf_broadcast vf_broadcast;\n\nThe struct contains a single fixed 32-byte field:\n\n\t/* include/uapi/linux/if_link.h */\n\tstruct ifla_vf_broadcast {\n\t\t__u8 broadcast[32];\n\t};\n\nThe function then copies dev-\u003ebroadcast into it using dev-\u003eaddr_len\nas the length:\n\n\tmemcpy(vf_broadcast.broadcast, dev-\u003ebroadcast, dev-\u003eaddr_len);\n\nOn Ethernet devices (the overwhelming majority of SR-IOV NICs)\ndev-\u003eaddr_len is 6, so only the first 6 bytes of broadcast[] are\nwritten. The remaining 26 bytes retain whatever was previously on\nthe kernel stack. The full struct is then handed to userspace via:\n\n\tnla_put(skb, IFLA_VF_BROADCAST,\n\t\tsizeof(vf_broadcast), &vf_broadcast)\n\nleaking up to 26 bytes of uninitialised kernel stack per VF per\nRTM_GETLINK request, repeatable.\n\nThe other vf_* structs in the same function are explicitly zeroed\nfor exactly this reason - see the memset() calls for ivi,\nvf_vlan_info, node_guid and port_guid a few lines above.\nvf_broadcast was simply missed when it was added.\n\nReachability: any unprivileged local process can open AF_NETLINK /\nNETLINK_ROUTE without capabilities and send RTM_GETLINK with an\nIFLA_EXT_MASK attribute carrying RTEXT_FILTER_VF. The kernel walks\neach VF and emits IFLA_VF_BROADCAST, leaking 26 bytes of stack per\nVF per request. Stack residue at this call site can include return\naddresses and transient sensitive data; KASAN with stack\ninstrumentation, or KMSAN, will flag the nla_put() when reproduced.\n\nZero the on-stack struct before the partial memcpy, matching the\nexisting pattern used for the other vf_* structs in the same\nfunction.","modified":"2026-06-05T18:29:25.618788428Z","published":"2026-05-28T09:35:47.047Z","related":["openSUSE-SU-2026:10954-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46132.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0653c0516234c8258975d268a749115fc0f0ff00"},{"type":"WEB","url":"https://git.kernel.org/stable/c/14271b401ec6a4bf0d88054106fc2956084717e1"},{"type":"WEB","url":"https://git.kernel.org/stable/c/38bcc21f52246badb3154b6158dcb381d98de011"},{"type":"WEB","url":"https://git.kernel.org/stable/c/4b9e327991815e128ad3af75c3a04630a63ce3e0"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a44fbb631cba646532f3948636626f81717365a7"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c5b1b92ab7eff1a6e8c507ddde6fd02fabd0cfa8"},{"type":"WEB","url":"https://git.kernel.org/stable/c/cccce3190ba4356432b9f22369b56123d3d89f0d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/fbe0e6197225e6a83cf113a67a4b425f8de0bcd5"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46132.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46132"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"75345f888f700c4ab2448287e35d48c760b202e6"},{"fixed":"14271b401ec6a4bf0d88054106fc2956084717e1"},{"fixed":"cccce3190ba4356432b9f22369b56123d3d89f0d"},{"fixed":"a44fbb631cba646532f3948636626f81717365a7"},{"fixed":"0653c0516234c8258975d268a749115fc0f0ff00"},{"fixed":"c5b1b92ab7eff1a6e8c507ddde6fd02fabd0cfa8"},{"fixed":"fbe0e6197225e6a83cf113a67a4b425f8de0bcd5"},{"fixed":"38bcc21f52246badb3154b6158dcb381d98de011"},{"fixed":"4b9e327991815e128ad3af75c3a04630a63ce3e0"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46132.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"5.3.0"},{"fixed":"5.10.258"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.209"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.175"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.140"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.88"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.30"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"7.0.7"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46132.json"}}],"schema_version":"1.7.5"}