#VU124456 Exposure of sensitive information to an unauthorized actor in Linux kernel - CVE-2026-23384
Published: March 25, 2026
Vulnerability identifier: #VU124456
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-23384
CWE-ID: CWE-200
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
Linux kernel
Linux kernel
Software vendor:
Linux Foundation
Linux Foundation
Description
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to improper initialization of stack memory in the RDMA/ionic driver when handling control queue creation. A local user can trigger the creation of a control queue via the ionic_create_cq() interface, causing uninitialized stack memory to be returned to userspace, which may disclose up to 11 bytes of kernel stack data.
The disclosed data may include portions of kernel stack memory due to partial initialization of the response structure before being copied to userspace.
Remediation
Install security update from vendor's repository.