Bug 2492102 (CVE-2026-52937) - CVE-2026-52937 kernel: tap: fix stack info leak in tap_ioctl() SIOCGIFHWADDR
Summary: CVE-2026-52937 kernel: tap: fix stack info leak in tap_ioctl() SIOCGIFHWADDR
Keywords:
Status: NEW
Alias: CVE-2026-52937
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-24 08:02 UTC by OSIDB Bzimport
Modified: 2026-06-24 10:42 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-24 08:02:07 UTC
In the Linux kernel, the following vulnerability has been resolved:

tap: fix stack info leak in tap_ioctl() SIOCGIFHWADDR

In the SIOCGIFHWADDR path, tap_ioctl() copies 16 bytes of an
uninitialised on-stack struct sockaddr_storage to userspace via
ifr_hwaddr, but netif_get_mac_address() only writes sa_family and
dev->addr_len (6 for Ethernet) bytes, leaving sa_data[6..13] uninitialised.

Those 8 trailing bytes leak kernel stack contents; SIOCGIFHWADDR on a
macvtap chardev returns kernel .text and direct-map pointers, defeating
KASLR.

Initialise ss at declaration.

Comment 1 Mauro Matteo Cascella 2026-06-24 10:41:22 UTC
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026062434-CVE-2026-52937-62eb@gregkh/T


Note You need to log in before you can comment on or make changes to this bug.