CVE-2026-52937 - Vulnerability Details - OpenCVE

In the Linux kernel, the following vulnerability has been resolved: tap: fix stack info leak in tap_ioctl() SIOCGIFHWADDR In the SIOCGIFHWADDR path, tap_ioctl() copies 16 bytes of an uninitialised on-stack struct sockaddr_storage to userspace via ifr_hwaddr, but netif_get_mac_address() only writes sa_family and dev->addr_len (6 for Ethernet) bytes, leaving sa_data[6..13] uninitialised. Those 8 trailing bytes leak kernel stack contents; SIOCGIFHWADDR on a macvtap chardev returns kernel .text and direct-map pointers, defeating KASLR. Initialise ss at declaration.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Vendors	Products
Linux	Linux Kernel

No data.

No data.

No data.

References

Link	Providers
https://git.kernel.org/stable/c/05305e832be7b9d65b2b72caacf7d850b3942b2a
https://git.kernel.org/stable/c/719007c3492f0f1f9e9cdbed8ac45ba45bb13eeb
https://git.kernel.org/stable/c/bddc09212c24934643bd44fc794748d2bbb3b6cd

History

Wed, 24 Jun 2026 07:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: tap: fix stack info leak in tap_ioctl() SIOCGIFHWADDR In the SIOCGIFHWADDR path, tap_ioctl() copies 16 bytes of an uninitialised on-stack struct sockaddr_storage to userspace via ifr_hwaddr, but netif_get_mac_address() only writes sa_family and dev->addr_len (6 for Ethernet) bytes, leaving sa_data[6..13] uninitialised. Those 8 trailing bytes leak kernel stack contents; SIOCGIFHWADDR on a macvtap chardev returns kernel .text and direct-map pointers, defeating KASLR. Initialise ss at declaration.
Title		tap: fix stack info leak in tap_ioctl() SIOCGIFHWADDR
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/05305e832be7b9d65b2b72caacf7d850b3942b2a https://git.kernel.org/stable/c/719007c3492f0f1f9e9cdbed8ac45ba45bb13eeb https://git.kernel.org/stable/c/bddc09212c24934643bd44fc794748d2bbb3b6cd

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-24T07:14:27.305Z

Updated: 2026-06-24T07:14:27.305Z

Reserved: 2026-06-09T07:44:35.370Z

Link: CVE-2026-52937

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-52937", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-06-09T07:44:35.370Z", "datePublished": "2026-06-24T07:14:27.305Z", "dateUpdated": "2026-06-24T07:14:27.305Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-06-24T07:14:27.305Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntap: fix stack info leak in tap_ioctl() SIOCGIFHWADDR\n\nIn the SIOCGIFHWADDR path, tap_ioctl() copies 16 bytes of an\nuninitialised on-stack struct sockaddr_storage to userspace via\nifr_hwaddr, but netif_get_mac_address() only writes sa_family and\ndev->addr_len (6 for Ethernet) bytes, leaving sa_data[6..13] uninitialised.\n\nThose 8 trailing bytes leak kernel stack contents; SIOCGIFHWADDR on a\nmacvtap chardev returns kernel .text and direct-map pointers, defeating\nKASLR.\n\nInitialise ss at declaration."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/tap.c"], "versions": [{"version": "3b23a32a63219f51a5298bc55a65ecee866e79d0", "lessThan": "719007c3492f0f1f9e9cdbed8ac45ba45bb13eeb", "status": "affected", "versionType": "git"}, {"version": "3b23a32a63219f51a5298bc55a65ecee866e79d0", "lessThan": "05305e832be7b9d65b2b72caacf7d850b3942b2a", "status": "affected", "versionType": "git"}, {"version": "3b23a32a63219f51a5298bc55a65ecee866e79d0", "lessThan": "bddc09212c24934643bd44fc794748d2bbb3b6cd", "status": "affected", "versionType": "git"}, {"version": "176188cff67ec1aa55103647b61d02315cc38e98", "status": "affected", "versionType": "git"}, {"version": "1fc205d9e400f069ebf30d3faa6ec2bab2cbd7b4", "status": "affected", "versionType": "git"}, {"version": "4d0ae760c02c98fc78b78d3a0509896bc648ad1c", "status": "affected", "versionType": "git"}, {"version": "5.4.103", "lessThan": "5.5", "status": "affected", "versionType": "semver"}, {"version": "5.10.21", "lessThan": "5.11", "status": "affected", "versionType": "semver"}, {"version": "5.11.4", "lessThan": "5.12", "status": "affected", "versionType": "semver"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/tap.c"], "versions": [{"version": "5.12", "status": "affected"}, {"version": "0", "lessThan": "5.12", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.34", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0.11", "lessThanOrEqual": "7.0.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.12", "versionEndExcluding": "6.18.34"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.12", "versionEndExcluding": "7.0.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.12", "versionEndExcluding": "7.1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.4.103"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10.21"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11.4"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/719007c3492f0f1f9e9cdbed8ac45ba45bb13eeb"}, {"url": "https://git.kernel.org/stable/c/05305e832be7b9d65b2b72caacf7d850b3942b2a"}, {"url": "https://git.kernel.org/stable/c/bddc09212c24934643bd44fc794748d2bbb3b6cd"}], "title": "tap: fix stack info leak in tap_ioctl() SIOCGIFHWADDR", "x_generator": {"engine": "bippy-1.2.0"}}}}