Description
In the Linux kernel, the following vulnerability has been resolved:

xfrm_user: fix info leak in build_mapping()

struct xfrm_usersa_id has a one-byte padding hole after the proto
field, which ends up never getting set to zero before copying out to
userspace. Fix that up by zeroing out the whole structure before
setting individual variables.
Published: 2026-05-06
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the Linux kernel’s xfrm_user interface. A one‑byte padding hole in struct xfrm_usersa_id is left uninitialized before the structure is copied to userspace by build_mapping(). This allows a process that invokes the relevant ioctl to read uninitialized kernel data, leaking sensitive information and constituting an information exposure flaw caused by use of uninitialized memory.

Affected Systems

Affected Linux kernel versions are not explicitly enumerated in the CVE data. The bug exists in any kernel that retains the uninitialized padding in struct xfrm_usersa_id before the build_mapping() routine copies data to userspace. Devices running a kernel that has not yet been patched to zero the structure are at risk. The patch that clears the padding has been merged into recent kernel releases, so updating to a kernel version that includes this change provides remediation.

Risk and Exploitability

The CVSS score is not disclosed and the EPSS is unavailable, so the public data does not provide a quantified severity or likelihood. The attack appears to be local: a privileged or compromised local process can trigger the offending ioctl and read the uninitialized padding without requiring higher kernel privileges. No known exploitation has been reported in the CISA KEV catalog. While the confidentiality impact could aid follow‑on attacks, the exploitability requires local access to invoke the kernel interface.

Generated by OpenCVE AI on May 6, 2026 at 12:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that incorporates the patch that clears the padding hole.
  • If a distribution update is not yet available, download the relevant patch from the referenced Git commits and rebuild the kernel with that patch applied.
  • Restart the system with the updated kernel and configure the bootloader to use the patched kernel as the default.

Generated by OpenCVE AI on May 6, 2026 at 12:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 09:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: xfrm_user: fix info leak in build_mapping() struct xfrm_usersa_id has a one-byte padding hole after the proto field, which ends up never getting set to zero before copying out to userspace. Fix that up by zeroing out the whole structure before setting individual variables.
Title xfrm_user: fix info leak in build_mapping()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-06T07:40:22.630Z

Reserved: 2026-05-01T14:12:55.984Z

Link: CVE-2026-43089

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-06T10:16:22.200

Modified: 2026-05-06T10:16:22.200

Link: CVE-2026-43089

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T12:00:02Z

Weaknesses

No weakness.