Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-23156

CVE-2026-23156: Linux Kernel Information Disclosure Flaw

CVE-2026-23156 is an information disclosure vulnerability in the Linux kernel's efivarfs component that may expose uninitialized heap memory to userspace. This article covers technical details, affected systems, and patches.

Updated:

CVE-2026-23156 Overview

CVE-2026-23156 is a Linux kernel vulnerability in the efivarfs filesystem that allows uninitialized heap memory to leak to userspace. The flaw resides in efivar_entry_get(), which always returned success even when the underlying __efivar_entry_get() call failed. As a result, the efivarfs_file_read() path could copy uninitialized kernel heap data to user-controlled buffers. A local authenticated attacker on an affected system can leverage this issue to disclose sensitive kernel memory contents.

Critical Impact

Local users with access to efivarfs may read uninitialized kernel heap memory, exposing sensitive data such as cryptographic material, pointers useful for KASLR bypass, or other in-flight kernel state.

Affected Products

  • Linux kernel 6.19-rc1 through 6.19-rc7
  • Earlier Linux kernel branches referenced in the stable backports (commits 3960f175..., 4b22ec16..., 510a16f1..., 89b8ca70..., e4e15a0a...)
  • Distributions shipping unpatched Linux kernels with efivarfs enabled

Discovery Timeline

  • 2026-02-14 - CVE-2026-23156 published to the National Vulnerability Database (NVD)
  • 2026-03-18 - Last updated in NVD database

Technical Details for CVE-2026-23156

Vulnerability Analysis

The vulnerability is an instance of uninitialized memory disclosure rooted in incorrect error propagation. The helper function efivar_entry_get() wraps __efivar_entry_get(), which retrieves the value of a UEFI variable into a caller-supplied buffer. When the underlying call fails, for example due to firmware errors or an unknown variable, the buffer is left untouched. The wrapper, however, did not propagate this error and returned success unconditionally.

Callers such as efivarfs_file_read() then proceeded as if the buffer contained valid variable data. Because the buffer was allocated from the kernel heap without zeroing, its contents reflect previously freed kernel allocations. The read path then copies this uninitialized region into the userspace buffer supplied to read(2).

This class of bug is tracked as CWE-908 (Use of Uninitialized Resource) and is functionally similar to other infoleak primitives that enable local attackers to weaken kernel address space layout randomization (KASLR) or extract residual secrets.

Root Cause

The root cause is missing error propagation in efivar_entry_get(). The wrapper discarded the return value of __efivar_entry_get() and always reported success to the caller, decoupling buffer validity from the function's return code. The fix, applied across multiple stable branches, returns the error from __efivar_entry_get() so that callers can correctly abort and avoid acting on uninitialized data.

Attack Vector

Exploitation requires local access and the ability to read files under the efivarfs mount, typically /sys/firmware/efi/efivars/. Read access to this filesystem is normally restricted to privileged users, which limits the attack surface but does not eliminate risk in multi-user systems, container hosts, or sandboxed environments where capabilities or bind mounts may expose efivarfs indirectly. An attacker triggers a failing path inside __efivar_entry_get() and then reads the corresponding entry to receive uninitialized kernel heap contents in the response.

No public proof-of-concept exploit or in-the-wild exploitation has been reported for CVE-2026-23156.

Detection Methods for CVE-2026-23156

Indicators of Compromise

  • Unexpected processes accessing files under /sys/firmware/efi/efivars/ outside of normal firmware management tooling such as efibootmgr or fwupd.
  • Repeated read() syscalls against efivarfs entries from non-root or unusual user contexts.
  • Kernel logs showing UEFI variable access errors paired with successful userspace reads of the same entries.

Detection Strategies

  • Audit kernel build versions against the fixed commits listed in the upstream advisories to identify hosts still exposed.
  • Enable auditd rules on the efivarfs mount point to record open and read operations on EFI variable files.
  • Correlate process telemetry with file access events on /sys/firmware/efi/efivars/ to identify anomalous readers.

Monitoring Recommendations

  • Track running kernel versions across the fleet and flag any host running an unpatched 6.19-rc series or older unpatched stable branch.
  • Monitor for privilege escalation attempts that precede efivarfs access, since the bug is most useful as part of a longer local exploitation chain.
  • Alert on container workloads that mount /sys/firmware/efi/efivars/ or grant CAP_SYS_ADMIN, which expands the population of users able to reach the vulnerable code path.

How to Mitigate CVE-2026-23156

Immediate Actions Required

  • Apply the upstream kernel patches referenced by commits 3960f1754664, 4b22ec1685ce, 510a16f1c5c1, 89b8ca709eee, and e4e15a0a4403, or update to a distribution kernel that includes these fixes.
  • Restrict access to /sys/firmware/efi/efivars/ to root-only contexts and remove unnecessary capabilities from non-administrative users and containers.
  • Inventory containers and sandboxes to ensure none expose efivarfs to untrusted workloads.

Patch Information

The fix returns the error from __efivar_entry_get() so that callers no longer act on uninitialized buffers. Patches have been merged upstream and backported to affected stable branches. See the Linux kernel commit 3960f175, commit 4b22ec16, commit 510a16f1, commit 89b8ca70, and commit e4e15a0a for the canonical fixes.

Workarounds

  • Unmount efivarfs on systems that do not require runtime UEFI variable access using umount /sys/firmware/efi/efivars.
  • Remove or blacklist the efivarfs kernel module where firmware updates are not performed at runtime.
  • Tighten Linux Security Module policy (SELinux, AppArmor) to deny read access to efivarfs from non-administrative domains until kernels are patched.
bash
# Configuration example: disable efivarfs access on hosts that do not need it
sudo umount /sys/firmware/efi/efivars
sudo sed -i '/efivarfs/d' /etc/fstab
echo 'blacklist efivarfs' | sudo tee /etc/modprobe.d/blacklist-efivarfs.conf
sudo update-initramfs -u

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne