CVE-2026-23335 Overview
A kernel stack memory leak vulnerability has been identified in the Linux kernel's RDMA/irdma driver within the irdma_create_user_ah() function. The vulnerability stems from uninitialized reserved memory fields in the irdma_create_ah_resp structure being leaked to userspace when responding to Address Handle creation requests.
Critical Impact
Kernel stack memory information disclosure that could leak sensitive kernel data to unprivileged userspace applications, potentially exposing memory layout information useful for further exploitation.
Affected Products
- Linux Kernel with RDMA/irdma driver enabled
- Systems using Intel Ethernet Connection E810 or similar devices with RDMA support
- Multiple Linux kernel stable branches (patches available across several versions)
Discovery Timeline
- 2026-03-25 - CVE CVE-2026-23335 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2026-23335
Vulnerability Analysis
The vulnerability exists in the irdma_create_user_ah() function within the Linux kernel's RDMA/irdma driver. The irdma_create_ah_resp structure is an 8-byte structure containing a 4-byte ah_id field at offset 0 and a 4-byte reserved field rsvd[4] at offset 4.
When creating a user Address Handle, the code properly initializes the ah_id field with uresp.ah_id = ah->sc_ah.ah_info.ah_idx, but fails to initialize or zero the reserved rsvd[4] bytes before calling ib_respond_udata(). This results in 4 bytes of uninitialized kernel stack memory being unconditionally leaked to userspace with every Address Handle creation request.
Root Cause
The root cause is a failure to properly initialize all members of the response structure before copying it to userspace. The irdma_create_ah_resp structure contains reserved padding bytes that were intended for future use or alignment purposes, but were never zeroed before transmission. This is a common class of information disclosure bug in kernel code where response structures contain gaps or reserved fields that aren't explicitly initialized.
Attack Vector
An attacker with local access and the ability to interact with the RDMA subsystem (typically requiring appropriate permissions or membership in the rdma group) can repeatedly trigger Address Handle creation operations to harvest leaked kernel stack memory. The leaked data could potentially contain:
- Kernel pointer values useful for defeating KASLR (Kernel Address Space Layout Randomization)
- Residual data from previous kernel operations
- Sensitive information that happened to reside on the stack
The vulnerability requires local access to systems with RDMA/irdma driver loaded and enabled, limiting the attack surface to systems with Intel RDMA-capable network hardware.
Detection Methods for CVE-2026-23335
Indicators of Compromise
- Unusual patterns of RDMA Address Handle creation requests from userspace applications
- High-frequency calls to irdma_create_user_ah() from non-standard applications
- Processes attempting to read or analyze RDMA response data that don't typically use RDMA functionality
Detection Strategies
- Monitor for unexpected RDMA subsystem activity on systems not designated for RDMA workloads
- Implement kernel auditing to track ib_respond_udata() calls and associated processes
- Use kernel tracing (ftrace/eBPF) to detect anomalous patterns in irdma driver function calls
- Review system logs for RDMA-related errors or unexpected Address Handle operations
Monitoring Recommendations
- Enable RDMA subsystem logging and audit trails on affected systems
- Deploy endpoint detection solutions capable of monitoring kernel driver interactions
- Establish baseline RDMA usage patterns to identify anomalous behavior
- Consider implementing SentinelOne's Singularity platform for real-time kernel-level threat detection
How to Mitigate CVE-2026-23335
Immediate Actions Required
- Apply the available kernel patches from the Linux kernel stable repositories
- If patching is not immediately possible, consider disabling the irdma driver on systems not requiring RDMA functionality
- Review system access controls to limit which users can interact with the RDMA subsystem
- Monitor affected systems for any signs of exploitation attempts
Patch Information
Multiple patches have been released to address this vulnerability across different Linux kernel stable branches. The fix involves properly zeroing the response structure before populating and transmitting it to userspace. The following patches are available:
- Kernel Patch 14b47c07
- Kernel Patch 1b1fac4c
- Kernel Patch 2fd37450
- Kernel Patch 74586c6d
- Kernel Patch c9bd0007
- Kernel Patch cfe96221
Workarounds
- Unload or blacklist the irdma kernel module on systems not requiring RDMA functionality
- Restrict access to the RDMA subsystem using appropriate user permissions and group membership controls
- Implement network segmentation to limit exposure of RDMA-enabled systems
- Use kernel lockdown mode where supported to limit kernel memory exposure
# Disable irdma driver if not required
sudo modprobe -r irdma
# Blacklist the module to prevent automatic loading
echo "blacklist irdma" | sudo tee /etc/modprobe.d/blacklist-irdma.conf
# Update initramfs to apply blacklist
sudo update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
