Description
In the Linux kernel, the following vulnerability has been resolved:

rseq: Fix using an uninitialized stack variable in rseq_exit_user_update()

There is an bug in which an uninitialized stack variable is used in
rseq_exit_user_update() as reported by syzbot:

BUG: KMSAN: kernel-infoleak in rseq_set_ids_get_csaddr include/linux/rseq_entry.h:502 [inline]

The local variable:

struct rseq_ids ids = {
.cpu_id = task_cpu(t),
.mm_cid = task_mm_cid(t),
.node_id = cpu_to_node(ids.cpu_id),
};

According to the C standard, the evaluation order of expressions in an
initializer list is indeterminately sequenced. The compiler (Clang, in
this KMSAN build) evaluates `cpu_to_node(ids.cpu_id)` *before*
`ids.cpu_id` is initialized with `task_cpu(t)`.

This is fixed by moving the assignment of ids.node_id outside the
structure initialization.
Published: 2026-06-25
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the Linux kernel’s rseq_exit_user_update function, where an uninitialized stack variable is used. The compiler may evaluate cpu_to_node(ids.cpu_id) before ids.cpu_id is assigned, causing the node_id field to contain an indeterminate value. When rseq_set_ids_get_csaddr is invoked, kernel information leak that exposes kernel data to the calling process. The weakness is an uninitialized variable usage (CWE‑908).

Affected Systems

All the assignment of ids.node_id outside the struct initialization are affected. The vendor is Linux and the affected product is the Linux kernel; any kernel before this patch is vulnerable.

Risk and Exploitability

The EPSS score is <1%, indicating a very low probability of exploitation. The vulnerability is not listed in CISA KEV. The likely attack vector is local or privileged execution, inferred from the description; an attacker would need to trigger the rseq code path to trigger the information‑leak. While the immediate risk is moderate, a successful leak could provide a foothold for higher‑level attacks on the system.

Generated by OpenCVE AI on June 26, 2026 at 15:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that includes the fix that moves the assignment of ids.node_id outside the struct initialization.
  • If a kernel upgrade is not immediately possible, rebuild the kernel with the latest patched source or manually apply the patch to the rseq_exit_user_update code.
  • Reboot the system to ensure the new kernel is in use.

Generated by OpenCVE AI on June 26, 2026 at 15:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 14:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-682

Fri, 26 Jun 2026 12:15:00 +0000


Thu, 25 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-682

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: rseq: Fix using an uninitialized stack variable in rseq_exit_user_update() There is an bug in which an uninitialized stack variable is used in rseq_exit_user_update() as reported by syzbot: BUG: KMSAN: kernel-infoleak in rseq_set_ids_get_csaddr include/linux/rseq_entry.h:502 [inline] The local variable: struct rseq_ids ids = { .cpu_id = task_cpu(t), .mm_cid = task_mm_cid(t), .node_id = cpu_to_node(ids.cpu_id), }; According to the C standard, the evaluation order of expressions in an initializer list is indeterminately sequenced. The compiler (Clang, in this KMSAN build) evaluates `cpu_to_node(ids.cpu_id)` *before* `ids.cpu_id` is initialized with `task_cpu(t)`. This is fixed by moving the assignment of ids.node_id outside the structure initialization.
Title rseq: Fix using an uninitialized stack variable in rseq_exit_user_update()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-25T08:39:37.794Z

Reserved: 2026-06-09T07:44:35.393Z

Link: CVE-2026-53243

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity :

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-53243 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T16:00:04Z

Weaknesses
  • CWE-908

    Use of Uninitialized Resource