CVE-2026-23384

EUVD-2026-15381
In the Linux kernel, the following vulnerability has been resolved:

RDMA/ionic: Fix kernel stack leak in ionic_create_cq()

struct ionic_cq_resp resp {
    __u32 cqid[2];         // offset 0 - PARTIALLY SET (see below)
    __u8  udma_mask;       // offset 8 - SET (resp.udma_mask = vcq->udma_mask)
    __u8  rsvd[7];         // offset 9 - NEVER SET <- LEAK
};

rsvd[7]: 7 bytes of stack memory leaked unconditionally.

cqid[2]: The loop at line 1256 iterates over udma_idx but skips indices
where !(vcq->udma_mask & BIT(udma_idx)). The array has 2 entries but
udma_count could be 1, meaning cqid[1] might never be written via
ionic_create_cq_common(). If udma_mask only has bit 0 set, cqid[1] (4
bytes) is also leaked. So potentially 11 bytes leaked.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
UNKNOWN
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Debian logo
Debian Releases
Debian Product
Codename
linux
bookworm
6.1.159-1
fixed
bookworm (security)
6.1.164-1
fixed
bullseye
5.10.223-1
fixed
bullseye (security)
5.10.251-1
fixed
forky
6.19.8-1
fixed
sid
6.19.8-1
fixed
trixie
6.12.73-1
fixed
trixie (security)
6.12.74-2
fixed
References
https://git.kernel.org/stable/c/547d0b07ad73915b323bc21f85c5d3252bebbbcf
https://git.kernel.org/stable/c/a6f3e0fa8e862f220c26c2f27e5ddc42eb82ad3e
https://git.kernel.org/stable/c/faa72102b178c7ae6c6afea23879e7c84fc59b4e