Description
In the Linux kernel, the following vulnerability has been resolved:

tap: fix stack info leak in tap_ioctl() SIOCGIFHWADDR

In the SIOCGIFHWADDR path, tap_ioctl() copies 16 bytes of an
uninitialised on-stack struct sockaddr_storage to userspace via
ifr_hwaddr, but netif_get_mac_address() only writes sa_family and
dev->addr_len (6 for Ethernet) bytes, leaving sa_data[6..13] uninitialised.

Those 8 trailing bytes leak kernel stack contents; SIOCGIFHWADDR on a
macvtap chardev returns kernel .text and direct-map pointers, defeating
KASLR.

Initialise ss at declaration.
Published: 2026-06-24
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the Linux kernel, the tap driver contains a flaw that causes the to copy 16 bytes from an uninitialized on‑stack structure, leaving eight bytes of kernel stack data exposed. An attacker who can call this ioctl on a macvtap character device can read kernel .text and direct‑map addresses, which defeats Kernel Address Space Layout Randomization.

Affected Systems

Any Linux system running a kernel version that predates the commit that added proper initialization of the sockaddr_storage in tap_ioctl is vulnerable. This includes all standard Linux kernel releases until the patch is applied, regardless of distribution, as the affected code is part of the core kernel.

Risk and Exploitability

The EPSS score is below 1%, indicating a very low exploitation probability, and the CVSS score of 5.5 classifies the vulnerability as moderate. The bug is not listed in CISA KEV. Although the score is moderate, the leak of kernel addresses provides a foothold that can aid further attacksASLR is bypassed. The likely attack vector is local or privileged access to the macvtap device, inferred from the need to perform SIOCGIFHWADDR on that character device.

Generated by OpenCVE AI on June 25, 2026 at 03:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that includes the tap driver fix for proper sockaddr_storage initialization
  • If an immediate patch is not possible, restrict or remove unnecessary macvtap devices and apply strict file permissions or ACLs to the macvtap device to limit access to trusted users
  • Continuously monitor vendor advisories and security feeds for related kernel exploits or additional mitigations

Generated by OpenCVE AI on June 25, 2026 at 03:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200

Thu, 25 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-909
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate


Wed, 24 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200

Wed, 24 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: tap: fix stack info leak in tap_ioctl() SIOCGIFHWADDR In the SIOCGIFHWADDR path, tap_ioctl() copies 16 bytes of an uninitialised on-stack struct sockaddr_storage to userspace via ifr_hwaddr, but netif_get_mac_address() only writes sa_family and dev->addr_len (6 for Ethernet) bytes, leaving sa_data[6..13] uninitialised. Those 8 trailing bytes leak kernel stack contents; SIOCGIFHWADDR on a macvtap chardev returns kernel .text and direct-map pointers, defeating KASLR. Initialise ss at declaration.
Title tap: fix stack info leak in tap_ioctl() SIOCGIFHWADDR
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T07:14:27.305Z

Reserved: 2026-06-09T07:44:35.370Z

Link: CVE-2026-52937

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-52937 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T03:30:17Z

Weaknesses
  • CWE-909

    Missing Initialization of Resource