CVE-2026-52937 - Vulnerability Details

- tap: fix stack info leak in tap_ioctl() SIOCGIFHWADDR

Description

In the Linux kernel, the following vulnerability has been resolved:

tap: fix stack info leak in tap_ioctl() SIOCGIFHWADDR

In the SIOCGIFHWADDR path, tap_ioctl() copies 16 bytes of an
uninitialised on-stack struct sockaddr_storage to userspace via
ifr_hwaddr, but netif_get_mac_address() only writes sa_family and
dev->addr_len (6 for Ethernet) bytes, leaving sa_data[6..13] uninitialised.

Those 8 trailing bytes leak kernel stack contents; SIOCGIFHWADDR on a
macvtap chardev returns kernel .text and direct-map pointers, defeating
KASLR.

Initialise ss at declaration.

Published: 2026-06-24

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`3b23a32a63219f51a5298bc55a65ecee866e79d0`	affected	< 719007c3492f0f1f9e9cdbed8ac45ba45bb13eeb
`3b23a32a63219f51a5298bc55a65ecee866e79d0`	affected	< 05305e832be7b9d65b2b72caacf7d850b3942b2a
`3b23a32a63219f51a5298bc55a65ecee866e79d0`	affected	< bddc09212c24934643bd44fc794748d2bbb3b6cd
`176188cff67ec1aa55103647b61d02315cc38e98`	affected	—
`1fc205d9e400f069ebf30d3faa6ec2bab2cbd7b4`	affected	—
`4d0ae760c02c98fc78b78d3a0509896bc648ad1c`	affected	—
`5.4.103`	affected	< 5.5
`5.10.21`	affected	< 5.11
`5.11.4`	affected	< 5.12

Linux

affected

Version	Status	Constraints
`5.12`	affected	—
`0`	unaffected	< 5.12
`6.18.34`	unaffected	≤ 6.18.*
`7.0.11`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/05305e832be7b9d65b2b72caacf7d850b3942b2a
https://git.kernel.org/stable/c/719007c3492f0f1f9e9cdbed8ac45ba45bb13eeb
https://git.kernel.org/stable/c/bddc09212c24934643bd44fc794748d2bbb3b6cd

History

Wed, 24 Jun 2026 07:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: tap: fix stack info leak in tap_ioctl() SIOCGIFHWADDR In the SIOCGIFHWADDR path, tap_ioctl() copies 16 bytes of an uninitialised on-stack struct sockaddr_storage to userspace via ifr_hwaddr, but netif_get_mac_address() only writes sa_family and dev->addr_len (6 for Ethernet) bytes, leaving sa_data[6..13] uninitialised. Those 8 trailing bytes leak kernel stack contents; SIOCGIFHWADDR on a macvtap chardev returns kernel .text and direct-map pointers, defeating KASLR. Initialise ss at declaration.
Title		tap: fix stack info leak in tap_ioctl() SIOCGIFHWADDR
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/05305e832be7b9d65b2b72caacf7d850b3942b2a https://git.kernel.org/stable/c/719007c3492f0f1f9e9cdbed8ac45ba45bb13eeb https://git.kernel.org/stable/c/bddc09212c24934643bd44fc794748d2bbb3b6cd

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-24T07:14:27.305Z

Updated: 2026-06-24T07:14:27.305Z

Reserved: 2026-06-09T07:44:35.370Z

Link: CVE-2026-52937

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

No weakness.

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object