Impact
The vulnerability exists in the tun driver of the Linux kernel. When a non‑tunnel socket buffer is read through a TUN interface, tun_put_user() allocates a stack‑based struct for the vnet header but only zeroes the first 10 bytes. An unprivileged local user can set a header size of 24 bytes with the TUNSETVNETHDRSZ ioctl, causing the partially initialized structure to be copied into user space. Each read of a non‑tunnel packet leaks 14 bytes of kernel stack data, resulting in kernel‑level information disclosure that an attacker can repeatedly obtain.
Affected Systems
Any Linux system running a kernel version that predates the patch in commit 585cb85e9a29185be05f326369573c2663cf4380 include the fix and are not susceptible. System administrators should verify whether their running kernel was built prior to this commit.
Risk and Exploitability
The flaw can beprivileged access; no remote attack vector or elevated privileges are required. The CVSS score of 7.0 indicates moderate risk, while the EPSS score of less than 1% reflects a low but nonzero probability of exploitation. Although the vulnerability is not listed in the CISA KEV catalog, the disclosed kernel information may aid attackers in building more advanced exploits. The impact is therefore significant if the affected system the of exploitation is relatively low.
OpenCVE Enrichment