Description
In the Linux kernel, the following vulnerability has been resolved:

block: zero non-PI portion of auto integrity buffer

The auto-generated integrity buffer for writes needs to be fully
initialized before being passed to the underlying block device,
otherwise the uninitialized memory can be read back by userspace or
anyone with physical access to the storage device. If protection
information is generated, that portion of the integrity buffer is
already initialized. The integrity data is also zeroed if PI generation
is disabled via sysfs or the PI tuple size is 0. However, this misses
the case where PI is generated and the PI tuple size is nonzero, but the
metadata size is larger than the PI tuple. In this case, the remainder
("opaque") of the metadata is left uninitialized.
Generalize the BLK_INTEGRITY_CSUM_NONE check to cover any case when the
metadata is larger than just the PI tuple.
Published: 2026-01-25
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Immediate Patch
AI Analysis

Impact

In the Linux kernel block layer, the auto‑generated integrity buffer for writes was not fully initialized when the metadata size exceeded the PI tuple. This leaves a segment of the buffer in an uninitialized state that can be read back by userspace or anyone with physical access to the storage device, allowing the disclosure of previously written data. The flaw is a classic uninitialized memory leakage (CWE‑908) and poses a confidentiality risk.

Affected Systems

The vulnerability impacts the Linux kernel, specifically the 6.11 series and the 6.19 series release candidates up to rc8, as identified in the CPE catalog. Any system running one of these kernel versions without the patch is susceptible, regardless of distribution. The defect resides in the core block layer code, so all distributions using the affected source code are affected until the fix is applied.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity, while the EPSS score of less than 1% reflects a low probability of exploitation. The flaw is not listed in the CISA KEV catalog, suggesting limited known exploitation. An attacker would need local or physical access to the machine or the block device to read uninitialized metadata; the vulnerability is confined to integrity buffer handling and cannot be leveraged remotely without additional local privileges.

Generated by OpenCVE AI on April 18, 2026 at 02:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a patched release that includes the fix for this issue (for example, any kernel version newer than the ones listed in the affected CPE range).
  • As a temporary measure, disable integrity protection or set the PI tuple size to zero via the appropriate sysfs interface so the buffer is fully zeroed before being handed to the device.
  • Protect physical access to storage devices and monitor for suspicious read activity that might indicate exploitation.

Generated by OpenCVE AI on April 18, 2026 at 02:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-908
CPEs cpe:2.3:o:linux:linux_kernel:6.11:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*

Mon, 26 Jan 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low

Sun, 25 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: block: zero non-PI portion of auto integrity buffer The auto-generated integrity buffer for writes needs to be fully initialized before being passed to the underlying block device, otherwise the uninitialized memory can be read back by userspace or anyone with physical access to the storage device. If protection information is generated, that portion of the integrity buffer is already initialized. The integrity data is also zeroed if PI generation is disabled via sysfs or the PI tuple size is 0. However, this misses the case where PI is generated and the PI tuple size is nonzero, but the metadata size is larger than the PI tuple. In this case, the remainder ("opaque") of the metadata is left uninitialized. Generalize the BLK_INTEGRITY_CSUM_NONE check to cover any case when the metadata is larger than just the PI tuple.
Title block: zero non-PI portion of auto integrity buffer
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-02-09T08:36:59.916Z

Reserved: 2026-01-13T15:37:45.939Z

Link: CVE-2026-23007

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-01-25T15:15:55.580

Modified: 2026-03-25T19:21:49.837

Link: CVE-2026-23007

cve-icon Redhat

Severity : Low

Publid Date: 2026-01-25T00:00:00Z

Links: CVE-2026-23007 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T03:00:10Z

Weaknesses