{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23384", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:46.008Z", "datePublished": "2026-03-25T10:28:02.818Z", "dateUpdated": "2026-04-13T06:06:21.142Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-13T06:06:21.142Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/ionic: Fix kernel stack leak in ionic_create_cq()\n\nstruct ionic_cq_resp resp {\n __u32 cqid[2]; // offset 0 - PARTIALLY SET (see below)\n __u8 udma_mask; // offset 8 - SET (resp.udma_mask = vcq->udma_mask)\n __u8 rsvd[7]; // offset 9 - NEVER SET <- LEAK\n};\n\nrsvd[7]: 7 bytes of stack memory leaked unconditionally.\n\ncqid[2]: The loop at line 1256 iterates over udma_idx but skips indices\nwhere !(vcq->udma_mask & BIT(udma_idx)). The array has 2 entries but\nudma_count could be 1, meaning cqid[1] might never be written via\nionic_create_cq_common(). If udma_mask only has bit 0 set, cqid[1] (4\nbytes) is also leaked. So potentially 11 bytes leaked."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/infiniband/hw/ionic/ionic_controlpath.c"], "versions": [{"version": "e8521822c733c6deab0f339843cd37cd62c12795", "lessThan": "a6f3e0fa8e862f220c26c2f27e5ddc42eb82ad3e", "status": "affected", "versionType": "git"}, {"version": "e8521822c733c6deab0f339843cd37cd62c12795", "lessThan": "547d0b07ad73915b323bc21f85c5d3252bebbbcf", "status": "affected", "versionType": "git"}, {"version": "e8521822c733c6deab0f339843cd37cd62c12795", "lessThan": "faa72102b178c7ae6c6afea23879e7c84fc59b4e", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/infiniband/hw/ionic/ionic_controlpath.c"], "versions": [{"version": "6.18", "status": "affected"}, {"version": "0", "lessThan": "6.18", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/a6f3e0fa8e862f220c26c2f27e5ddc42eb82ad3e"}, {"url": "https://git.kernel.org/stable/c/547d0b07ad73915b323bc21f85c5d3252bebbbcf"}, {"url": "https://git.kernel.org/stable/c/faa72102b178c7ae6c6afea23879e7c84fc59b4e"}], "title": "RDMA/ionic: Fix kernel stack leak in ionic_create_cq()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "07E9D8CD-82F0-4CC6-8038-BF71758D583C", "versionEndExcluding": "6.18.17", "versionStartIncluding": "6.18.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "69245D10-0B71-485E-80C3-A64F077004D3", "versionEndExcluding": "6.19.7", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.18:-:*:*:*:*:*:*", "matchCriteriaId": "DCE57113-2223-4308-A0F2-5E6ECFBB3C23", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/ionic: Fix kernel stack leak in ionic_create_cq()\n\nstruct ionic_cq_resp resp {\n __u32 cqid[2]; // offset 0 - PARTIALLY SET (see below)\n __u8 udma_mask; // offset 8 - SET (resp.udma_mask = vcq->udma_mask)\n __u8 rsvd[7]; // offset 9 - NEVER SET <- LEAK\n};\n\nrsvd[7]: 7 bytes of stack memory leaked unconditionally.\n\ncqid[2]: The loop at line 1256 iterates over udma_idx but skips indices\nwhere !(vcq->udma_mask & BIT(udma_idx)). The array has 2 entries but\nudma_count could be 1, meaning cqid[1] might never be written via\nionic_create_cq_common(). If udma_mask only has bit 0 set, cqid[1] (4\nbytes) is also leaked. So potentially 11 bytes leaked."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nRDMA/ionic: Correcci\u00f3n de fuga de pila del kernel en ionic_create_cq()\n\nstruct ionic_cq_resp resp {\n __u32 cqid[2]; // offset 0 - PARCIALMENTE ESTABLECIDO (ver abajo)\n __u8 udma_mask; // offset 8 - ESTABLECIDO (resp.udma_mask = vcq-&gt;udma_mask)\n __u8 rsvd[7]; // offset 9 - NUNCA ESTABLECIDO &lt;- FUGA\n};\n\nrsvd[7]: 7 bytes de memoria de pila fugados incondicionalmente.\n\ncqid[2]: El bucle en la l\u00ednea 1256 itera sobre udma_idx pero omite los \u00edndices donde !(vcq-&gt;udma_mask &amp; BIT(udma_idx)). El array tiene 2 entradas pero udma_count podr\u00eda ser 1, lo que significa que cqid[1] podr\u00eda nunca ser escrito a trav\u00e9s de ionic_create_cq_common(). Si udma_mask solo tiene el bit 0 establecido, cqid[1] (4 bytes) tambi\u00e9n se fuga. As\u00ed que potencialmente 11 bytes fugados."}], "id": "CVE-2026-23384", "lastModified": "2026-04-24T18:42:33.970", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-25T11:16:38.633", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/547d0b07ad73915b323bc21f85c5d3252bebbbcf"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/a6f3e0fa8e862f220c26c2f27e5ddc42eb82ad3e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/faa72102b178c7ae6c6afea23879e7c84fc59b4e"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-401"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: RDMA/ionic: Fix kernel stack leak in ionic_create_cq()", "id": "2451248", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451248"}, "csaw": false, "cwe": "CWE-908", "details": ["A flaw was found in the Linux kernel, specifically within the RDMA/ionic component. This vulnerability is a kernel stack leak that occurs in the `ionic_create_cq()` function. It could allow an attacker to gain unauthorized access to sensitive information by leaking up to 11 bytes of stack memory. This could potentially expose internal system data."], "name": "CVE-2026-23384", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23384\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23384\nhttps://lore.kernel.org/linux-cve-announce/2026032543-CVE-2026-23384-489a@gregkh/T"]}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[e8521822c733c6deab0f339843cd37cd62c12795,a6f3e0fa8e862f220c26c2f27e5ddc42eb82ad3e)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[e8521822c733c6deab0f339843cd37cd62c12795,547d0b07ad73915b323bc21f85c5d3252bebbbcf)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[e8521822c733c6deab0f339843cd37cd62c12795,faa72102b178c7ae6c6afea23879e7c84fc59b4e)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.18"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,6.18)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.17,7.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.7,7.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[7.0-rc2,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T16:58:50.840454+00:00", "value": {"mitigation_remediation": ["Install or upgrade to a Linux kernel release that contains the ionic driver stack\u2011leak fix (e.g., kernel 6.18 or 7.0 rc7 and later).", "If an upgrade is not feasible, backport the commit that fixes ionic_create_cq() (commit 547d0b07ad73915b323bc21f85c5d3252bebbbcf) to your kernel source, rebuild the kernel or the ionic module, and install it.", "Reboot the system or unload and reload the RDMA module so that the patched driver is loaded at boot.", "Restrict RDMA device access to privileged users only to reduce the attack surface."], "summary": {"action": "Apply Patch", "impact": "Kernel Stack Leakage"}, "threat_synthesis": {"affected_systems": "Linux kernels that contain the RDMA/ionic driver from version 6.18 through 7.0 release candidates 1 to 7 are affected. Any distribution using these kernels without the authoritative patch remains vulnerable; this includes both mainline and backport builds that have not yet integrated the fix.", "description_and_impact": "The vulnerability is a stack memory leak in the RDMA/ionic driver, specifically within the ionic_create_cq() routine. Uninitialized fields expose 7 to 11 bytes of kernel stack data, which could contain sensitive kernel state. The flaw is categorized as a memory leak (CWE-401) and an information\u2011exposure issue (CWE-908).", "risk_and_exploitability": "The CVSS score is 5.5, indicating moderate severity. The EPSS score is less than 1\u202f%, and the vulnerability is not listed in CISA\u2019s KEV catalog. An attacker with local or privileged access to the RDMA subsystem could trigger ionic_create_cq() and read the leaked bytes. Though currently no public exploit exists, leaking kernel data can aid further privilege escalation or credential theft. The overall risk is moderate, with a low probability of exploitation but potentially significant impact if the data leaked is valuable."}}}}, "created": "2026-03-25T21:31:32.047197+00:00", "updated": "2026-04-28T17:00:13.470315+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}