ifla_vf_broadcast infoleak — uninitialized kernel memory exposed to userspace via Netlink
CVE-2026-46132 is an information disclosure (CWE-200) vulnerability in the Linux kernel's net/rtnetlink subsystem. When a caller queries SR-IOV Virtual Function (VF) information over Netlink, the kernel populates the ifla_vf_broadcast attribute from a structure that has not been fully initialized. The uninitialized bytes — potentially containing kernel stack data, pointers, or other sensitive memory — are then copied verbatim into the Netlink reply and returned to userspace.
The leak is triggered by any process that can send a RTM_GETLINK request with VF stats enumeration against a device that reports SR-IOV VF data. The extent of the exposure depends on what occupies the uninitialized region at call time.
The ifla_vf_broadcast Netlink attribute carries a struct ifla_vf_broadcast value. In the affected code path inside rtnetlink.c, the structure is declared on the stack and partially filled — the broadcast MAC address field is written, but the padding or trailing members are left uninitialized. The full structure size is then passed to nla_put, committing the uninitialized bytes to the Netlink socket.
The upstream fix initializes the structure to zero before populating it, ensuring no kernel memory is forwarded to userspace.
An unprivileged or low-privilege process that can issue Netlink queries against SR-IOV-capable network interfaces can read bytes of kernel memory they are not entitled to. Depending on the kernel version and allocator behavior, this may include:
This class of infoleak is frequently chained with a separate vulnerability that requires an address oracle to become reliably exploitable. Standalone, it is Low to Medium severity.
The fix is in kernel commit 4b9e327 in net/rtnetlink. Zero-initialize struct ifla_vf_broadcast before writing the broadcast address, eliminating the uninitialized-bytes exposure. Update to a kernel version that includes this stable backport.
Reported by Kai Aizen (SnailSploit). Fix committed to Linux stable by Kai Zen <[email protected]>. Coordinated through the standard kernel security process.
An information disclosure vulnerability (CWE-200) in the Linux kernel's net/rtnetlink subsystem. The ifla_vf_broadcast Netlink attribute is populated from an uninitialized stack structure, leaking kernel memory bytes to userspace callers querying SR-IOV VF information.
You are affected if your kernel predates stable commit 4b9e327991815e128ad3af75c3a04630a63ce3e0. Systems without SR-IOV hardware have reduced practical exposure, but the vulnerable code path exists in the affected kernel range. Apply the stable update.
Apply upstream fix commit 4b9e327 in net/rtnetlink. The patch zero-initializes struct ifla_vf_broadcast before writing the broadcast address field, ensuring no uninitialized memory is forwarded to userspace. Distributions will carry this in stable kernel updates.
Information disclosure. Kernel memory bytes — potentially including virtual addresses, stack remnants, or other sensitive data — leak to userspace through Netlink VF broadcast queries. This can aid KASLR bypass or serve as an oracle for kernel exploitation primitives. Severity is Low to Medium standalone.
The upstream fix is at git.kernel.org stable commit 4b9e327991815e128ad3af75c3a04630a63ce3e0. The MITRE CVE record is at cve.org/CVERecord?id=CVE-2026-46132 and the NVD record at nvd.nist.gov/vuln/detail/CVE-2026-46132.