The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-23156

CVE-2026-23156: Linux Kernel Information Disclosure Flaw

CVE-2026-23156 is an information disclosure vulnerability in the Linux kernel's efivarfs component that may expose uninitialized heap memory to userspace. This article covers technical details, affected versions, and mitigations.

Published: February 20, 2026

CVE-2026-23156 Overview

CVE-2026-23156 is an Uninitialized Memory Use vulnerability in the Linux kernel's efivarfs (EFI Variables Filesystem) subsystem. The vulnerability exists in the efivar_entry_get() function, which incorrectly returns success even when the underlying __efivar_entry_get() function fails. This improper error propagation can result in uninitialized heap memory being copied to userspace through the efivarfs_file_read() path.

Critical Impact

This vulnerability may allow local attackers to read uninitialized kernel heap memory, potentially exposing sensitive information from kernel memory space to userspace applications.

Affected Products

  • Linux Kernel (multiple versions with efivarfs support)
  • Systems with EFI/UEFI firmware utilizing efivarfs

Discovery Timeline

  • 2026-02-14 - CVE CVE-2026-23156 published to NVD
  • 2026-02-18 - Last updated in NVD database

Technical Details for CVE-2026-23156

Vulnerability Analysis

This vulnerability represents a classic error handling flaw in kernel code where error conditions are silently ignored. The efivar_entry_get() function acts as a wrapper that calls __efivar_entry_get() to retrieve EFI variable data. However, when the internal function fails and returns an error code, the wrapper function incorrectly masks this error and returns success to its callers.

The consequence of this flawed error propagation is significant: when a read operation fails but appears successful, the caller proceeds to use the buffer that was intended to be filled with EFI variable data. Since the underlying read operation failed, this buffer may contain uninitialized heap memory. The efivarfs_file_read() function then copies this potentially sensitive kernel heap data to userspace.

Root Cause

The root cause is improper error handling in the efivar_entry_get() function. The function fails to propagate the return value from __efivar_entry_get(), instead always returning a success status (0) regardless of whether the underlying operation succeeded or failed. This violates the expected contract between the wrapper function and its callers, leading to incorrect assumptions about the validity of retrieved data.

Attack Vector

The attack vector for this vulnerability is local, requiring the attacker to have access to the affected system with permissions to read from the efivarfs filesystem (typically mounted at /sys/firmware/efi/efivars/). An attacker could:

  1. Craft specific read requests to EFI variables that trigger failure conditions in __efivar_entry_get()
  2. Exploit race conditions or edge cases that cause the underlying function to fail
  3. Repeatedly read EFI variable files to harvest uninitialized kernel heap memory

The information disclosed could potentially include sensitive kernel data structures, memory addresses useful for defeating KASLR, or fragments of other security-sensitive information that happened to reside in kernel heap memory.

Detection Methods for CVE-2026-23156

Indicators of Compromise

  • Unusual read patterns on efivarfs mounted filesystems (typically /sys/firmware/efi/efivars/)
  • Processes repeatedly reading EFI variables with unexpected read patterns
  • Applications accessing efivarfs that don't typically require UEFI variable access
  • Kernel log messages indicating EFI variable read failures without corresponding application errors

Detection Strategies

  • Monitor system calls targeting /sys/firmware/efi/efivars/ for anomalous access patterns
  • Implement file integrity monitoring on efivarfs access logs
  • Deploy kernel-level auditing for efivarfs operations using auditd or similar frameworks
  • Use SentinelOne's kernel-level monitoring to detect suspicious memory access patterns

Monitoring Recommendations

  • Enable kernel auditing for file operations on /sys/firmware/efi/efivars/
  • Monitor for processes with elevated privileges accessing EFI variables unexpectedly
  • Implement behavioral analysis to detect information disclosure attempt patterns
  • Review system logs for EFI-related error messages that may indicate exploitation attempts

How to Mitigate CVE-2026-23156

Immediate Actions Required

  • Update the Linux kernel to a patched version as soon as available
  • Restrict access to efivarfs by limiting permissions on /sys/firmware/efi/efivars/
  • Review and audit processes that require access to EFI variables
  • Consider unmounting efivarfs on systems where UEFI variable access is not required

Patch Information

The Linux kernel maintainers have released patches to fix this vulnerability. The fix involves properly returning the error code from __efivar_entry_get() instead of masking it. Multiple commits have been published to stable kernel branches:

  • Kernel Git Commit 3960f17
  • Kernel Git Commit 4b22ec1
  • Kernel Git Commit 510a16f
  • Kernel Git Commit 89b8ca7
  • Kernel Git Commit e4e15a0

Workarounds

  • Restrict efivarfs access to root-only using filesystem permissions
  • Unmount efivarfs on systems that don't require runtime UEFI variable manipulation
  • Use mandatory access control frameworks (SELinux, AppArmor) to limit efivarfs access to authorized processes only
  • Consider using immutable flag on critical EFI variables if supported
bash
# Configuration example
# Restrict efivarfs access permissions
chmod 700 /sys/firmware/efi/efivars/

# Optional: Unmount efivarfs if not needed
umount /sys/firmware/efi/efivars/

# Prevent automatic mounting (add to /etc/fstab)
# efivarfs /sys/firmware/efi/efivars efivarfs noauto,nosuid,nodev,noexec 0 0

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeInformation Disclosure
  • Vendor/TechLinux Kernel
  • SeverityNONE
  • CVSS ScoreN/A
  • EPSS Probability0.02%
  • Known ExploitedNo
  • Impact Assessment
  • ConfidentialityNone
  • IntegrityNone
  • AvailabilityNone
  • Technical References
  • Kernel Git Commit Changes
  • Kernel Git Commit Changes
  • Kernel Git Commit Changes
  • Kernel Git Commit Changes
  • Kernel Git Commit Changes
  • Related CVEs
  • CVE-2026-23430: Linux Kernel Memory Leak Vulnerability
  • CVE-2026-23465: Linux Kernel Btrfs Logging Vulnerability
  • CVE-2026-23421: Linux Kernel Information Disclosure Flaw
  • CVE-2026-23303: Linux Kernel Information Disclosure Flaw
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English