Description
In the Linux kernel, the following vulnerability has been resolved:

RDMA/ionic: Fix kernel stack leak in ionic_create_cq()

struct ionic_cq_resp resp {
__u32 cqid[2]; // offset 0 - PARTIALLY SET (see below)
__u8 udma_mask; // offset 8 - SET (resp.udma_mask = vcq->udma_mask)
__u8 rsvd[7]; // offset 9 - NEVER SET <- LEAK
};

rsvd[7]: 7 bytes of stack memory leaked unconditionally.

cqid[2]: The loop at line 1256 iterates over udma_idx but skips indices
where !(vcq->udma_mask & BIT(udma_idx)). The array has 2 entries but
udma_count could be 1, meaning cqid[1] might never be written via
ionic_create_cq_common(). If udma_mask only has bit 0 set, cqid[1] (4
bytes) is also leaked. So potentially 11 bytes leaked.
Published: 2026-03-25
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Kernel Stack Leakage
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a stack memory leak in the RDMA/ionic driver, specifically within the ionic_create_cq() routine. Uninitialized fields expose 7 to 11 bytes of kernel stack data, which could contain sensitive kernel state. The flaw is categorized as a memory leak (CWE-401) and an information‑exposure issue (CWE-908).

Affected Systems

Linux kernels that contain the RDMA/ionic driver from version 6.18 through 7.0 release candidates 1 to 7 are affected. Any distribution using these kernels without the authoritative patch remains vulnerable; this includes both mainline and backport builds that have not yet integrated the fix.

Risk and Exploitability

The CVSS score is 5.5, indicating moderate severity. The EPSS score is less than 1 %, and the vulnerability is not listed in CISA’s KEV catalog. An attacker with local or privileged access to the RDMA subsystem could trigger ionic_create_cq() and read the leaked bytes. Though currently no public exploit exists, leaking kernel data can aid further privilege escalation or credential theft. The overall risk is moderate, with a low probability of exploitation but potentially significant impact if the data leaked is valuable.

Generated by OpenCVE AI on April 28, 2026 at 16:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install or upgrade to a Linux kernel release that contains the ionic driver stack‑leak fix (e.g., kernel 6.18 or 7.0 rc7 and later).
  • If an upgrade is not feasible, backport the commit that fixes ionic_create_cq() (commit 547d0b07ad73915b323bc21f85c5d3252bebbbcf) to your kernel source, rebuild the kernel or the ionic module, and install it.
  • Reboot the system or unload and reload the RDMA module so that the patched driver is loaded at boot.
  • Restrict RDMA device access to privileged users only to reduce the attack surface.

Generated by OpenCVE AI on April 28, 2026 at 16:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 24 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-401
CPEs cpe:2.3:o:linux:linux_kernel:6.18:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
CWE-222

Thu, 26 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-908
References

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
CWE-222

Wed, 25 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: RDMA/ionic: Fix kernel stack leak in ionic_create_cq() struct ionic_cq_resp resp { __u32 cqid[2]; // offset 0 - PARTIALLY SET (see below) __u8 udma_mask; // offset 8 - SET (resp.udma_mask = vcq->udma_mask) __u8 rsvd[7]; // offset 9 - NEVER SET <- LEAK }; rsvd[7]: 7 bytes of stack memory leaked unconditionally. cqid[2]: The loop at line 1256 iterates over udma_idx but skips indices where !(vcq->udma_mask & BIT(udma_idx)). The array has 2 entries but udma_count could be 1, meaning cqid[1] might never be written via ionic_create_cq_common(). If udma_mask only has bit 0 set, cqid[1] (4 bytes) is also leaked. So potentially 11 bytes leaked.
Title RDMA/ionic: Fix kernel stack leak in ionic_create_cq()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:05:50.100Z

Reserved: 2026-01-13T15:37:46.008Z

Link: CVE-2026-23384

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T11:16:38.633

Modified: 2026-04-24T18:42:33.970

Link: CVE-2026-23384

cve-icon Redhat

Severity :

Publid Date: 2026-03-25T00:00:00Z

Links: CVE-2026-23384 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T17:00:13Z

Weaknesses