Description
In the Linux kernel, the following vulnerability has been resolved:

net: sched: cls_api: fix tc_chain_fill_node to initialize tcm_info to zero to prevent an info-leak

When building netlink messages, tc_chain_fill_node() never initializes
the tcm_info field of struct tcmsg. Since the allocation is not zeroed,
kernel heap memory is leaked to userspace through this 4-byte field.

The fix simply zeroes tcm_info alongside the other fields that are
already initialized.
Published: 2026-05-01
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises because tc_chain_fill_node never initializes the 4‑byte tcm_info field of struct tcmsg. When the kernel builds netlink messages the buffer is allocated but not zeroed, so parts of kernel heap memory are injected into userspace. Based on the description, it is inferred that an attacker with local access can invoke a netlink tc_* operation that calls tc_chain_fill_node and read the leaked tcm_info data, exposing sensitive kernel state. This is an uninitialized memory bug (CWE-908) that poses a confidentiality risk.

Affected Systems

The flaw exists in the Linux kernel in all releases prior to the commit that zeroes tcm_info. The fix is distributed in the mainline kernel; any distribution that still ships its own unpatched kernel is vulnerable. Administrators should confirm that their current kernel includes the commit referenced in the kernel git links.

Risk and Exploitability

The CVSS score is 5.5 and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is inferred to be local: a process that can send or receive netlink traffic to the tc_ interface may trigger tc_chain_fill_node and observe the leaked tcm_info field. Exploitation requires at least local privileges or control over netlink traffic, but no public exploits have been documented, so the probability of exploitation remains low.

Generated by OpenCVE AI on May 2, 2026 at 13:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a kernel version that includes the commit which zeroes tcm_info.
  • If an upgrade is not possible, limit local access to netlink tc_* interfaces, e.g., by using SELinux/AppArmor or firewall netlink rules, to reduce the attack surface.
  • Enable kernel auditing or integrity monitoring to detect anomalous access to netlink or tc_* interfaces, ensuring quick detection and patching.

Generated by OpenCVE AI on May 2, 2026 at 13:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4561-1 linux-6.1 security update
Debian DLA Debian DLA DLA-4606-1 linux security update
Debian DSA Debian DSA DSA-6243-1 linux security update
History

Fri, 08 May 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*

Sat, 02 May 2026 12:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-788

Sat, 02 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-908
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Fri, 01 May 2026 23:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-788

Fri, 01 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net: sched: cls_api: fix tc_chain_fill_node to initialize tcm_info to zero to prevent an info-leak When building netlink messages, tc_chain_fill_node() never initializes the tcm_info field of struct tcmsg. Since the allocation is not zeroed, kernel heap memory is leaked to userspace through this 4-byte field. The fix simply zeroes tcm_info alongside the other fields that are already initialized.
Title net: sched: cls_api: fix tc_chain_fill_node to initialize tcm_info to zero to prevent an info-leak
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:16:27.484Z

Reserved: 2026-05-01T14:12:55.977Z

Link: CVE-2026-43035

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-01T15:16:48.147

Modified: 2026-05-08T18:43:05.513

Link: CVE-2026-43035

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-43035 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T13:30:43Z

Weaknesses