CVE-2026-23384 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

RDMA/ionic: Fix kernel stack leak in ionic_create_cq()

struct ionic_cq_resp resp {
__u32 cqid[2]; // offset 0 - PARTIALLY SET (see below)
__u8 udma_mask; // offset 8 - SET (resp.udma_mask = vcq->udma_mask)
__u8 rsvd[7]; // offset 9 - NEVER SET <- LEAK
};

rsvd[7]: 7 bytes of stack memory leaked unconditionally.

cqid[2]: The loop at line 1256 iterates over udma_idx but skips indices
where !(vcq->udma_mask & BIT(udma_idx)). The array has 2 entries but
udma_count could be 1, meaning cqid[1] might never be written via
ionic_create_cq_common(). If udma_mask only has bit 0 set, cqid[1] (4
bytes) is also leaked. So potentially 11 bytes leaked.

Published: 2026-03-25

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a stack memory leak in the RDMA/ionic driver, specifically in the ionic_create_cq() routine. Uninitialised fields leave 7 to 11 bytes of kernel stack data exposed, which could contain sensitive kernel state. The flaw is classified as an information‑exposure issue (CWE‑908).

Affected Systems

All Linux kernels that include the RDMA/ionic driver are affected. No specific versions are listed, so any distribution that has not installed the recent patch containing the driver fix remains vulnerable. Administrators should verify whether their running kernel contains the commit that resolves the leak.

Risk and Exploitability

EPSS shows a probability of exploitation of less than 1 %, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is local or privileged; an attacker with the ability to interact with the RDMA driver can trigger ionic_create_cq() and read the leaked bytes. While no public exploit has been disclosed, leaking even a few bytes can provide footholds for further privilege escalation or credential theft, depending on the context in which the kernel is used. The risk remains moderate, with low exercise probability but potential impact if the leaked information is valuable.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`e8521822c733c6deab0f339843cd37cd62c12795`	affected	< a6f3e0fa8e862f220c26c2f27e5ddc42eb82ad3e
`e8521822c733c6deab0f339843cd37cd62c12795`	affected	< 547d0b07ad73915b323bc21f85c5d3252bebbbcf
`e8521822c733c6deab0f339843cd37cd62c12795`	affected	< faa72102b178c7ae6c6afea23879e7c84fc59b4e

Linux

affected

Version	Status	Constraints
`6.18`	affected	—
`0`	unaffected	< 6.18
`6.18.17`	unaffected	≤ 6.18.*
`6.19.7`	unaffected	≤ 6.19.*
`7.0-rc2`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[e8521822c733c6deab0f339843cd37cd62c12795,a6f3e0fa8e862f220c26c2f27e5ddc42eb82ad3e)`	affected	code_commit	—
`[e8521822c733c6deab0f339843cd37cd62c12795,547d0b07ad73915b323bc21f85c5d3252bebbbcf)`	affected	code_commit	—
`[e8521822c733c6deab0f339843cd37cd62c12795,faa72102b178c7ae6c6afea23879e7c84fc59b4e)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.18`	affected	semver	—
`[0,6.18)`	unaffected	semver	—
`[6.18.17,7.0.0)`	unaffected	semver	—
`[6.19.7,7.0.0)`	unaffected	semver	—
`[7.0-rc2,*]`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update to a Linux kernel version that includes the ionic driver stack‑leak fix
Reboot the system to load the updated kernel
Verify that the patch is present by checking the kernel version or the commit hash in the source

Generated by OpenCVE AI on March 26, 2026 at 14:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00017.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/547d0b07ad73915b323bc21f85c5d3252bebbbcf
https://git.kernel.org/stable/c/a6f3e0fa8e862f220c26c2f27e5ddc42eb82ad3e
https://git.kernel.org/stable/c/faa72102b178c7ae6c6afea23879e7c84fc59b4e
https://lore.kernel.org/linux-cve-announce/2026032543-CVE-2026-23384-489a@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23384
https://www.cve.org/CVERecord?id=CVE-2026-23384

History

Thu, 26 Mar 2026 12:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-200 CWE-222

Thu, 26 Mar 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-908
References		https://lore.kernel.org/linux-cve-announce/2026032543-CVE-2026-23384-489a@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23384 https://www.cve.org/CVERecord?id=CVE-2026-23384

Wed, 25 Mar 2026 22:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-200 CWE-222

Wed, 25 Mar 2026 10:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: RDMA/ionic: Fix kernel stack leak in ionic_create_cq() struct ionic_cq_resp resp { __u32 cqid[2]; // offset 0 - PARTIALLY SET (see below) __u8 udma_mask; // offset 8 - SET (resp.udma_mask = vcq->udma_mask) __u8 rsvd[7]; // offset 9 - NEVER SET <- LEAK }; rsvd[7]: 7 bytes of stack memory leaked unconditionally. cqid[2]: The loop at line 1256 iterates over udma_idx but skips indices where !(vcq->udma_mask & BIT(udma_idx)). The array has 2 entries but udma_count could be 1, meaning cqid[1] might never be written via ionic_create_cq_common(). If udma_mask only has bit 0 set, cqid[1] (4 bytes) is also leaked. So potentially 11 bytes leaked.
Title		RDMA/ionic: Fix kernel stack leak in ionic_create_cq()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/547d0b07ad73915b323bc21f85c5d3252bebbbcf https://git.kernel.org/stable/c/a6f3e0fa8e862f220c26c2f27e5ddc42eb82ad3e https://git.kernel.org/stable/c/faa72102b178c7ae6c6afea23879e7c84fc59b4e

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-03-25T10:28:02.818Z

Updated: 2026-03-25T10:28:02.818Z

Reserved: 2026-01-13T15:37:46.008Z

Link: CVE-2026-23384

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-03-25T11:16:38.633

Modified: 2026-03-25T15:41:33.977

Link: CVE-2026-23384

Redhat

Severity :

Publid Date: 2026-03-25T00:00:00Z

Links: CVE-2026-23384 - Bugzilla

OpenCVE Enrichment

Updated: 2026-03-27T09:48:57Z

Weaknesses

CWE-908

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object