{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23335", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.997Z", "datePublished": "2026-03-25T10:27:25.418Z", "dateUpdated": "2026-05-11T22:04:51.125Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:04:51.125Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/irdma: Fix kernel stack leak in irdma_create_user_ah()\n\nstruct irdma_create_ah_resp { // 8 bytes, no padding\n __u32 ah_id; // offset 0 - SET (uresp.ah_id = ah->sc_ah.ah_info.ah_idx)\n __u8 rsvd[4]; // offset 4 - NEVER SET <- LEAK\n};\n\nrsvd[4]: 4 bytes of stack memory leaked unconditionally. Only ah_id is assigned before ib_respond_udata().\n\nThe reserved members of the structure were not zeroed."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/infiniband/hw/irdma/verbs.c"], "versions": [{"version": "b48c24c2d710cf34810c555dcef883a3d35a9c08", "lessThan": "1f70df004fdd944653013ccc2e1dfd472a693b46", "status": "affected", "versionType": "git"}, {"version": "b48c24c2d710cf34810c555dcef883a3d35a9c08", "lessThan": "14b47c07c69930254f549a17ee245c80a65b1609", "status": "affected", "versionType": "git"}, {"version": "b48c24c2d710cf34810c555dcef883a3d35a9c08", "lessThan": "1b1fac4c7a3ab7f52e9cfb91e5c91216646ca4d8", "status": "affected", "versionType": "git"}, {"version": "b48c24c2d710cf34810c555dcef883a3d35a9c08", "lessThan": "2fd37450d271d74b3847baed284f9cfdf198c6f8", "status": "affected", "versionType": "git"}, {"version": "b48c24c2d710cf34810c555dcef883a3d35a9c08", "lessThan": "cfe962216c164fe2b1c1fb6ac925a7413f5abc84", "status": "affected", "versionType": "git"}, {"version": "b48c24c2d710cf34810c555dcef883a3d35a9c08", "lessThan": "c9bd0007c4bdb7806bbd323287e50f9cf467c51a", "status": "affected", "versionType": "git"}, {"version": "b48c24c2d710cf34810c555dcef883a3d35a9c08", "lessThan": "74586c6da9ea222a61c98394f2fc0a604748438c", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/infiniband/hw/irdma/verbs.c"], "versions": [{"version": "5.14", "status": "affected"}, {"version": "0", "lessThan": "5.14", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.77", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.14", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.14", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.14", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.14", "versionEndExcluding": "6.12.77"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.14", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.14", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.14", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/1f70df004fdd944653013ccc2e1dfd472a693b46"}, {"url": "https://git.kernel.org/stable/c/14b47c07c69930254f549a17ee245c80a65b1609"}, {"url": "https://git.kernel.org/stable/c/1b1fac4c7a3ab7f52e9cfb91e5c91216646ca4d8"}, {"url": "https://git.kernel.org/stable/c/2fd37450d271d74b3847baed284f9cfdf198c6f8"}, {"url": "https://git.kernel.org/stable/c/cfe962216c164fe2b1c1fb6ac925a7413f5abc84"}, {"url": "https://git.kernel.org/stable/c/c9bd0007c4bdb7806bbd323287e50f9cf467c51a"}, {"url": "https://git.kernel.org/stable/c/74586c6da9ea222a61c98394f2fc0a604748438c"}], "title": "RDMA/irdma: Fix kernel stack leak in irdma_create_user_ah()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "6B079407-83B2-4F8B-863E-9DEB27376206", "versionEndExcluding": "5.15.203", "versionStartIncluding": "5.14.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "2EDC6BAF-B710-4E26-B6AA-D68922EE7B43", "versionEndExcluding": "6.1.167", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "C57BB918-DF28-46B3-94F7-144176841267", "versionEndExcluding": "6.6.130", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "B3D12E00-E42D-4056-B354-BAD4903C03A5", "versionEndExcluding": "6.12.77", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "A5E006E4-59C7-43C1-9231-62A72219F2BA", "versionEndExcluding": "6.18.17", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "69245D10-0B71-485E-80C3-A64F077004D3", "versionEndExcluding": "6.19.7", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.14:-:*:*:*:*:*:*", "matchCriteriaId": "6A05198E-F8FA-4517-8D0E-8C95066AED38", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/irdma: Fix kernel stack leak in irdma_create_user_ah()\n\nstruct irdma_create_ah_resp { // 8 bytes, no padding\n __u32 ah_id; // offset 0 - SET (uresp.ah_id = ah->sc_ah.ah_info.ah_idx)\n __u8 rsvd[4]; // offset 4 - NEVER SET <- LEAK\n};\n\nrsvd[4]: 4 bytes of stack memory leaked unconditionally. Only ah_id is assigned before ib_respond_udata().\n\nThe reserved members of the structure were not zeroed."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nRDMA/irdma: Correcci\u00f3n de fuga de pila del kernel en irdma_create_user_ah()\n\nstruct irdma_create_ah_resp { // 8 bytes, sin relleno\n __u32 ah_id; // desplazamiento 0 - ESTABLECIDO (uresp.ah_id = ah-&gt;sc_ah.ah_info.ah_idx)\n __u8 rsvd[4]; // desplazamiento 4 - NUNCA ESTABLECIDO &lt;- FUGA\n};\n\nrsvd[4]: 4 bytes de memoria de pila filtrados incondicionalmente. Solo ah_id se asigna antes de ib_respond_udata().\n\nLos miembros reservados de la estructura no fueron puestos a cero."}], "id": "CVE-2026-23335", "lastModified": "2026-04-23T21:13:06.170", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-25T11:16:31.050", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/14b47c07c69930254f549a17ee245c80a65b1609"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/1b1fac4c7a3ab7f52e9cfb91e5c91216646ca4d8"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/1f70df004fdd944653013ccc2e1dfd472a693b46"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/2fd37450d271d74b3847baed284f9cfdf198c6f8"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/74586c6da9ea222a61c98394f2fc0a604748438c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/c9bd0007c4bdb7806bbd323287e50f9cf467c51a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/cfe962216c164fe2b1c1fb6ac925a7413f5abc84"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-401"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: RDMA/irdma: Fix kernel stack leak in irdma_create_user_ah()", "id": "2451242", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451242"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-908", "details": ["A flaw was found in the Linux kernel's RDMA/irdma component. This vulnerability, located in the `irdma_create_user_ah()` function, is caused by uninitialized reserved memory. An attacker could potentially exploit this to leak 4 bytes of sensitive stack memory, leading to information disclosure."], "name": "CVE-2026-23335", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23335\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23335\nhttps://lore.kernel.org/linux-cve-announce/2026032533-CVE-2026-23335-602d@gregkh/T"], "statement": "This flaw affects systems with Intel RDMA (irdma) adapters. The irdma_create_ah_resp structure's reserved bytes are not zeroed before being copied to userspace, leaking 4 bytes of kernel stack memory. The leaked data is limited in size and requires RDMA interface access. The current CVSS marks this as A:H but it should be C:L for information disclosure.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[b48c24c2d710cf34810c555dcef883a3d35a9c08,14b47c07c69930254f549a17ee245c80a65b1609)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[b48c24c2d710cf34810c555dcef883a3d35a9c08,1b1fac4c7a3ab7f52e9cfb91e5c91216646ca4d8)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[b48c24c2d710cf34810c555dcef883a3d35a9c08,2fd37450d271d74b3847baed284f9cfdf198c6f8)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[b48c24c2d710cf34810c555dcef883a3d35a9c08,cfe962216c164fe2b1c1fb6ac925a7413f5abc84)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[b48c24c2d710cf34810c555dcef883a3d35a9c08,c9bd0007c4bdb7806bbd323287e50f9cf467c51a)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[b48c24c2d710cf34810c555dcef883a3d35a9c08,74586c6da9ea222a61c98394f2fc0a604748438c)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "5.14"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,5.14)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.167,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.130,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.77,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.17,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.7,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc2,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-29T00:42:36.068437+00:00", "value": {"mitigation_remediation": ["Upgrade the Linux kernel to a version that incorporates the irdma stack\u2011leak fix.", "If a kernel upgrade is not feasible, disable RDMA functionality or remove RDMA devices to eliminate the attack surface.", "Monitor kernel logs for RDMA\u2011related anomalies that could indicate exploitation attempts."], "summary": {"action": "Apply Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "All Linux kernel builds that incorporate the irdma RDMA driver are affected, as the issue resides in generic kernel source. Specific version ranges are not defined, so any kernel including the irdma module could be impacted until the fix is applied.\n\n", "description_and_impact": "The vulnerability is a kernel stack memory leak in the RDMA/irdma driver. During creation of a user address handle the driver\u2019s response structure leaves four reserved bytes uninitialized. Only the handle ID is set, so the four bytes retain whatever stack data was present at the time. The description does not explicitly state whether these bytes are exposed to callers; based on the description, it is inferred that a malicious actor with RDMA access might read these bytes, but this is not guaranteed by the provided information. The leak could potentially expose sensitive kernel state, yet the representational impact depends on how the data is made observable to attackers.\n\n", "risk_and_exploitability": "The CVSS v3 score of 5.5 indicates moderate severity, and the EPSS score of under 1% suggests a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Exploitation would require RDMA device support and the ability to create an address handle; however, the description does not clarify how a read of the leaked bytes is achieved. Consequently, while the potential for information disclosure exists, the actual exploitability remains uncertain.\n\n"}}}}, "created": "2026-03-25T21:32:18.726285+00:00", "updated": "2026-04-29T00:45:26.168412+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}