CVE Catalog

CVE-2026-52937

MediumCVSS 5.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.11%

2th percentile - higher than 2% of all known CVEs

Summary

In the Linux kernel, a stack info leak was found in the tap driver via the SIOCGIFHWADDR ioctl. The tap_ioctl() function copies 16 bytes of an uninitialized sockaddr_storage structure to userspace, while netif_get_mac_address() only writes 6 bytes of the MAC address, leaving 8 bytes uninitialized. These 8 bytes may leak sensitive kernel data, including pointers, defeating KASLR.

Risk Assessment

The kernel stack leak can expose confidential information, such as kernel memory addresses, facilitating attacks that require knowledge of memory layout, like system compromise. The vulnerability affects macvtap interfaces and can be exploited locally by an unprivileged user.

Recommendation

Immediately update the Linux kernel to a version containing the fix that initializes the sockaddr_storage structure before use. For production systems, apply the security patch from your distributor.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: tap: fix stack info leak in tap_ioctl() SIOCGIFHWADDR In the SIOCGIFHWADDR path, tap_ioctl() copies 16 bytes of an uninitialised on-stack struct sockaddr_storage to userspace via ifr_hwaddr, but netif_get_mac_address() only writes sa_family and dev->addr_len (6 for Ethernet) bytes, leaving sa_data[6..13] uninitialised. Those 8 trailing bytes leak kernel stack contents; SIOCGIFHWADDR on a macvtap chardev returns kernel .text and direct-map pointers, defeating KASLR. Initialise ss at declaration.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS