CVE-2026-45930 Overview
CVE-2026-45930 is an uninitialized memory disclosure vulnerability in the Linux kernel's Management Component Transport Protocol (MCTP) netlink subsystem. The flaw resides in how the kernel constructs netlink response messages for RTM_GETNEIGH and related queries. Response structures including ndmsg, link, address, and neighbor messages are not zero-initialized, leaving padding bytes populated with stale kernel stack or heap data. A local user issuing crafted netlink requests can read these uninitialized pad bytes and recover kernel memory contents. The issue was reported by Syed Faraz Abrar (@farazsth98) of Zellic and Pumpkin (@u1f383) of DEVCORE Research Team via the Trend Micro Zero Day Initiative.
Critical Impact
Local attackers can leak uninitialized kernel memory through MCTP netlink responses, aiding kernel address space layout discovery and supporting further exploitation chains.
Affected Products
- Linux kernel versions containing the MCTP netlink subsystem prior to the fix commits
- Distributions shipping vulnerable upstream kernel revisions
- Systems with MCTP support enabled (CONFIG_MCTP)
Discovery Timeline
- 2026-05-27 - CVE-2026-45930 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-45930
Vulnerability Analysis
The vulnerability is an information disclosure caused by uninitialized memory use [CWE-908] in the MCTP netlink response path. When userspace issues an RTM_GETNEIGH request against the MCTP family, the kernel allocates an ndmsg structure on the response sk_buff and populates only the meaningful fields. The structure contains padding bytes between members that the original code path left untouched. Because the underlying skb data was not zeroed prior to population, those pad bytes retain whatever residual data occupied the allocation. The same defect existed in the link and address response message builders in the MCTP subsystem.
Netlink leak primitives like this one are valuable to local attackers building exploitation chains. Disclosed bytes can include kernel pointers, stack canaries, or fragments of adjacent allocations, which defeat kernel address space layout randomization (KASLR) and inform follow-on memory corruption attacks.
Root Cause
The MCTP netlink message builders skipped explicit zero-initialization of the response payloads. C structures such as struct ndmsg contain implicit pad bytes inserted by the compiler for alignment. Assigning each named field individually leaves those pads uninitialized. When the skb is transmitted back to userspace via netlink_unicast, the pad bytes travel with it.
Attack Vector
A local process with permission to open an AF_NETLINK socket on the NETLINK_ROUTE family can send RTM_GETNEIGH, RTM_GETLINK, or RTM_GETADDR messages scoped to MCTP. The kernel returns response messages whose pad bytes carry residual data. No memory corruption is required, and the leak is fully repeatable. The fix, applied in commits 6fb6a97c86ab and a6a9bc544b67, initializes the netlink response data to zero before population in the link, address, and neighbor message builders.
No verified proof-of-concept code is published. See the kernel commit a6a9bc544b67 and kernel commit 6fb6a97c86ab for the upstream fix.
Detection Methods for CVE-2026-45930
Indicators of Compromise
- Unexpected userspace processes opening AF_NETLINK sockets and issuing RTM_GETNEIGH, RTM_GETLINK, or RTM_GETADDR requests against the MCTP family
- Repeated netlink dump requests from non-administrative users targeting MCTP interfaces
- Anomalous reads from /proc/net/netlink correlated with privilege escalation attempts
Detection Strategies
- Audit socket() and sendmsg() system calls for NETLINK_ROUTE traffic referencing AF_MCTP from unprivileged contexts
- Deploy eBPF or auditd rules that flag bursts of RTM_GET* netlink queries from non-root UIDs
- Compare installed kernel build hashes against vendor advisories listing the patched revisions
Monitoring Recommendations
- Track kernel package versions across the fleet and alert on hosts running pre-patch builds with MCTP enabled
- Correlate netlink query volume with subsequent suspicious activity such as kernel symbol resolution or kallsyms access
- Log and review loading of the mctp kernel module on systems that do not require it
How to Mitigate CVE-2026-45930
Immediate Actions Required
- Apply the upstream Linux kernel patches 6fb6a97c86ab and a6a9bc544b67 or the equivalent distribution backports
- Inventory hosts with CONFIG_MCTP enabled and prioritize them for patching
- Restrict local shell and container escape paths that would allow untrusted code to issue netlink queries
Patch Information
The fix initializes netlink response payloads to zero in the MCTP link, address, and neighbor message builders before populating named fields. Eliminating the residual pad-byte content closes the leak. Patched commits are available in the upstream stable tree at git.kernel.org commit 6fb6a97c86ab and git.kernel.org commit a6a9bc544b67. Consult your distribution's security tracker for backported package versions.
Workarounds
- Unload and blacklist the mctp kernel module on systems that do not use Management Component Transport Protocol
- Disable CONFIG_MCTP in custom kernel builds where the feature is not required
- Apply seccomp or LSM policies that restrict AF_NETLINK socket creation by untrusted workloads
# Blacklist the MCTP module until the kernel is patched
echo 'blacklist mctp' | sudo tee /etc/modprobe.d/blacklist-mctp.conf
echo 'install mctp /bin/true' | sudo tee -a /etc/modprobe.d/blacklist-mctp.conf
sudo rmmod mctp 2>/dev/null || true
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
