CVE-2026-23384 Overview
A kernel stack memory leak vulnerability has been discovered in the Linux kernel's RDMA/ionic driver, specifically within the ionic_create_cq() function. The vulnerability stems from uninitialized memory in the ionic_cq_resp structure being returned to userspace, potentially leaking sensitive kernel stack data.
Critical Impact
Uninitialized stack memory disclosure can expose sensitive kernel data to userspace, potentially aiding attackers in bypassing kernel address space layout randomization (KASLR) or revealing other sensitive information.
Affected Products
- Linux Kernel (RDMA/ionic driver)
- Systems utilizing Pensando/AMD ionic RDMA network adapters
- Linux distributions with affected kernel versions
Discovery Timeline
- 2026-03-25 - CVE CVE-2026-23384 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2026-23384
Vulnerability Analysis
The vulnerability exists in the ionic_create_cq() function within the RDMA/ionic driver. The ionic_cq_resp structure contains fields that are not fully initialized before being copied back to userspace. Specifically, the structure contains:
- cqid[2] - A 2-element array of 32-bit unsigned integers at offset 0, which is only partially initialized
- udma_mask - An 8-bit value at offset 8 that is properly set
- rsvd[7] - A 7-byte reserved array at offset 9 that is never initialized
The 7-byte rsvd[7] array is unconditionally leaked to userspace since it is never written to. Additionally, the cqid[2] array may only have its first element initialized depending on the udma_mask value. The loop at line 1256 iterates over udma_idx but skips indices where !(vcq->udma_mask & BIT(udma_idx)). If udma_mask only has bit 0 set, cqid[1] (4 bytes) is never written via ionic_create_cq_common(), resulting in an additional 4 bytes of leaked stack memory. In total, up to 11 bytes of kernel stack memory can be disclosed.
Root Cause
The root cause is improper initialization of the ionic_cq_resp structure before it is populated and returned to userspace. The structure is allocated on the stack but certain fields (rsvd[7] entirely and potentially cqid[1]) are never written to before the structure is copied to the user. This is a classic example of uninitialized memory use leading to information disclosure.
Attack Vector
An attacker with local access and the ability to invoke RDMA operations on an ionic device could trigger repeated calls to create completion queues. By analyzing the returned response structures, the attacker could collect leaked kernel stack memory contents. This information could potentially be used to:
- Defeat KASLR by identifying kernel addresses in the leaked data
- Gather information about other kernel operations and data structures
- Aid in crafting more sophisticated kernel exploits
The exploitation requires local access to the system and appropriate permissions to use RDMA interfaces. The vulnerability is triggered through the standard RDMA verbs interface when creating completion queues on ionic hardware.
Detection Methods for CVE-2026-23384
Indicators of Compromise
- Unusual patterns of RDMA completion queue creation requests
- Processes with RDMA permissions making repeated create_cq operations
- Memory analysis tools detecting uninitialized stack memory patterns in ionic driver operations
Detection Strategies
- Monitor for processes repeatedly calling RDMA verbs to create completion queues on ionic devices
- Implement kernel memory sanitization tools like KASAN (Kernel Address Sanitizer) to detect uninitialized memory access
- Deploy runtime integrity monitoring to detect abnormal RDMA usage patterns
- Audit processes accessing /dev/infiniband/ or related RDMA device nodes
Monitoring Recommendations
- Enable kernel audit logging for RDMA system calls and device interactions
- Monitor for elevated RDMA activity from non-standard processes
- Implement file integrity monitoring on RDMA-related kernel modules
- Review system logs for ionic driver warnings or errors
How to Mitigate CVE-2026-23384
Immediate Actions Required
- Apply the latest kernel patches that address this vulnerability
- Restrict access to RDMA interfaces to only trusted users and processes
- Consider disabling the ionic RDMA driver if not required
- Update to a patched kernel version as soon as available
Patch Information
The Linux kernel maintainers have released patches to address this vulnerability. The fix ensures proper initialization of the entire ionic_cq_resp structure before it is returned to userspace. The patches are available in the following kernel commits:
Workarounds
- Unload or blacklist the rdma_ionic kernel module if RDMA functionality is not required
- Restrict RDMA device access permissions to prevent untrusted users from exploiting the vulnerability
- Implement network segmentation to limit exposure of systems with ionic RDMA hardware
- Use mandatory access control systems (SELinux, AppArmor) to restrict RDMA interface access
# Configuration example
# Blacklist the ionic RDMA module if not needed
echo "blacklist rdma_ionic" >> /etc/modprobe.d/blacklist.conf
# Remove the module if currently loaded
modprobe -r rdma_ionic
# Restrict RDMA device permissions
chmod 600 /dev/infiniband/*
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
