{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23335", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.997Z", "datePublished": "2026-03-25T10:27:25.418Z", "dateUpdated": "2026-03-25T10:27:25.418Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-03-25T10:27:25.418Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/irdma: Fix kernel stack leak in irdma_create_user_ah()\n\nstruct irdma_create_ah_resp { // 8 bytes, no padding\n __u32 ah_id; // offset 0 - SET (uresp.ah_id = ah->sc_ah.ah_info.ah_idx)\n __u8 rsvd[4]; // offset 4 - NEVER SET <- LEAK\n};\n\nrsvd[4]: 4 bytes of stack memory leaked unconditionally. Only ah_id is assigned before ib_respond_udata().\n\nThe reserved members of the structure were not zeroed."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/infiniband/hw/irdma/verbs.c"], "versions": [{"version": "b48c24c2d710cf34810c555dcef883a3d35a9c08", "lessThan": "14b47c07c69930254f549a17ee245c80a65b1609", "status": "affected", "versionType": "git"}, {"version": "b48c24c2d710cf34810c555dcef883a3d35a9c08", "lessThan": "1b1fac4c7a3ab7f52e9cfb91e5c91216646ca4d8", "status": "affected", "versionType": "git"}, {"version": "b48c24c2d710cf34810c555dcef883a3d35a9c08", "lessThan": "2fd37450d271d74b3847baed284f9cfdf198c6f8", "status": "affected", "versionType": "git"}, {"version": "b48c24c2d710cf34810c555dcef883a3d35a9c08", "lessThan": "cfe962216c164fe2b1c1fb6ac925a7413f5abc84", "status": "affected", "versionType": "git"}, {"version": "b48c24c2d710cf34810c555dcef883a3d35a9c08", "lessThan": "c9bd0007c4bdb7806bbd323287e50f9cf467c51a", "status": "affected", "versionType": "git"}, {"version": "b48c24c2d710cf34810c555dcef883a3d35a9c08", "lessThan": "74586c6da9ea222a61c98394f2fc0a604748438c", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/infiniband/hw/irdma/verbs.c"], "versions": [{"version": "5.14", "status": "affected"}, {"version": "0", "lessThan": "5.14", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.77", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc2", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.14", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.14", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.14", "versionEndExcluding": "6.12.77"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.14", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.14", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.14", "versionEndExcluding": "7.0-rc2"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/14b47c07c69930254f549a17ee245c80a65b1609"}, {"url": "https://git.kernel.org/stable/c/1b1fac4c7a3ab7f52e9cfb91e5c91216646ca4d8"}, {"url": "https://git.kernel.org/stable/c/2fd37450d271d74b3847baed284f9cfdf198c6f8"}, {"url": "https://git.kernel.org/stable/c/cfe962216c164fe2b1c1fb6ac925a7413f5abc84"}, {"url": "https://git.kernel.org/stable/c/c9bd0007c4bdb7806bbd323287e50f9cf467c51a"}, {"url": "https://git.kernel.org/stable/c/74586c6da9ea222a61c98394f2fc0a604748438c"}], "title": "RDMA/irdma: Fix kernel stack leak in irdma_create_user_ah()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/irdma: Fix kernel stack leak in irdma_create_user_ah()\n\nstruct irdma_create_ah_resp { // 8 bytes, no padding\n __u32 ah_id; // offset 0 - SET (uresp.ah_id = ah->sc_ah.ah_info.ah_idx)\n __u8 rsvd[4]; // offset 4 - NEVER SET <- LEAK\n};\n\nrsvd[4]: 4 bytes of stack memory leaked unconditionally. Only ah_id is assigned before ib_respond_udata().\n\nThe reserved members of the structure were not zeroed."}], "id": "CVE-2026-23335", "lastModified": "2026-03-25T15:41:33.977", "metrics": {}, "published": "2026-03-25T11:16:31.050", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/14b47c07c69930254f549a17ee245c80a65b1609"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/1b1fac4c7a3ab7f52e9cfb91e5c91216646ca4d8"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/2fd37450d271d74b3847baed284f9cfdf198c6f8"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/74586c6da9ea222a61c98394f2fc0a604748438c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c9bd0007c4bdb7806bbd323287e50f9cf467c51a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/cfe962216c164fe2b1c1fb6ac925a7413f5abc84"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: RDMA/irdma: Fix kernel stack leak in irdma_create_user_ah()", "id": "2451242", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451242"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-908", "details": ["A flaw was found in the Linux kernel's RDMA/irdma component. This vulnerability, located in the `irdma_create_user_ah()` function, is caused by uninitialized reserved memory. An attacker could potentially exploit this to leak 4 bytes of sensitive stack memory, leading to information disclosure."], "name": "CVE-2026-23335", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23335\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23335\nhttps://lore.kernel.org/linux-cve-announce/2026032533-CVE-2026-23335-602d@gregkh/T"], "statement": "This flaw affects systems with Intel RDMA (irdma) adapters. The irdma_create_ah_resp structure's reserved bytes are not zeroed before being copied to userspace, leaking 4 bytes of kernel stack memory. The leaked data is limited in size and requires RDMA interface access. The current CVSS marks this as A:H but it should be C:L for information disclosure.", "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-03-25T11:40:42.017875+00:00", "value": {"mitigation_remediation": ["Apply the latest Linux kernel that includes the irdma stack leak fix.", "Verify that the kernel version contains the commit 14b47c07c69930254f549a17ee245c80a65b1609 or later."], "summary": {"action": "Apply patch", "impact": "Kernel stack memory leak exposing kernel data to user space; potential information disclosure."}, "threat_synthesis": {"affected_systems": "The affected component is the RDMA/irdma driver in the Linux kernel. Any Linux system using the irdma module and interacting with RDMA or InfiniBand hardware is potentially impacted. No specific kernel release is listed, so all versions that include the buggy irdma_create_user_ah() implementation may be vulnerable.", "description_and_impact": "A bug in the Linux RDMA/irdma driver caused the irdma_create_user_ah() function to populate a response structure with uninitialized stack memory. The reserved field, four bytes of stack data, was left uninitialized and then sent to user space via ib_respond_udata(). As a result, an attacker with access to the RDMA device could read arbitrary kernel memory contents that were leaked through this channel, making sensitive internal data available outside the kernel boundary. This constitutes an information disclosure vulnerability that could assist other attacks, such as privilege escalation or gathering targets for further analysis.", "risk_and_exploitability": "The CVSS score is not provided, and no EPSS value is available, but the vulnerability is not catalogued in the CISA KEV list, suggesting it is not a widely exploited or actively targeted flaw. The attack vector is likely local, requiring the attacker to have the ability to communicate with a vulnerable RDMA device and invoke the create user address handle call. Because the flaw leaks memory via an infrastructure call that returns user data, exploitation would require knowledge of the kernel memory layout to be useful. Overall, the risk is moderate, but any environment where RDMA services are exposed should treat this as a significant information exposure."}}}}, "created": "2026-03-25T21:32:18.726285+00:00", "updated": "2026-03-25T21:32:18.726320+00:00", "vendors": []}