CVE-2026-46182: Linux Kernel Information Disclosure Flaw

CVE-2026-46182 Overview

CVE-2026-46182 is a kernel information disclosure vulnerability in the Linux kernel's pseries/papr-hvpipe driver for the PowerPC architecture. The flaw exists because the hdr variable is allocated on the stack with only the hdr.version and hdr.flags fields initialized explicitly. The struct papr_hvpipe_hdr contains reserved padding bytes (reserved[3] and reserved2[40]) that remain uninitialized. When copy_to_user() is invoked, these uninitialized bytes are copied to userspace, leaking arbitrary kernel stack memory contents. The upstream fix initializes the entire struct to zero before population [CWE-908: Use of Uninitialized Resource].

Critical Impact

Local userspace processes on affected PowerPC pSeries systems can read uninitialized kernel stack memory, potentially exposing sensitive kernel data, pointers, or secrets useful for further exploitation.

Affected Products

• Linux kernel with pseries/papr-hvpipe driver enabled (IBM PowerPC pSeries platforms)
• Stable kernel branches receiving backports referenced in the upstream commits
• PowerPC LPAR (Logical Partition) environments using PAPR hypervisor pipe interfaces

Discovery Timeline

• 2026-05-28 - CVE-2026-46182 published to NVD
• 2026-05-28 - Last updated in NVD database

Technical Details for CVE-2026-46182

Vulnerability Analysis

The vulnerability resides in the PowerPC pseries/papr-hvpipe subsystem, which provides a hypervisor pipe interface between Linux logical partitions and the PAPR (Power Architecture Platform Reference) hypervisor. The driver constructs a header structure on the kernel stack, populates two fields, and copies the header to userspace via copy_to_user().

Because the structure is stack-allocated and only partially initialized, the remaining bytes contain whatever stale data previously occupied that stack frame. The struct papr_hvpipe_hdr defines two reserved fields, reserved[3] and reserved2[40], totaling 43 bytes of padding that the original code never zeroed.

This represents a classic kernel-to-user infoleak. While the vulnerability does not directly enable code execution or privilege escalation, the disclosed memory may contain kernel pointers useful for bypassing Kernel Address Space Layout Randomization (KASLR) or other kernel secrets that aid subsequent exploitation chains.

Root Cause

The root cause is incomplete initialization of a stack-allocated structure prior to its transmission to userspace. Selective field assignment leaves padding and reserved bytes containing residual kernel stack contents. The fix replaces selective initialization with a full zero-initialization of the structure before any field assignment.

Attack Vector

An unprivileged local user on an affected PowerPC pSeries system invokes the papr-hvpipe interface and reads the returned header from userspace. The returned bytes include the uninitialized reserved fields, exposing kernel stack memory. Exploitation requires local access and the ability to interact with the papr-hvpipe character device or syscall interface.

No verified public proof-of-concept code is associated with this CVE. The vulnerability mechanism is documented in the upstream kernel commits referenced in the kernel.org stable tree.

Detection Methods for CVE-2026-46182

Indicators of Compromise

• Unusual or repeated access to papr-hvpipe device interfaces from unprivileged user processes on PowerPC LPAR systems
• Userspace processes performing high-frequency reads of hypervisor pipe headers, which may indicate scraping for kernel memory disclosure
• Presence of unpatched kernel versions on pSeries hardware where the papr-hvpipe driver is loaded

Detection Strategies

• Audit running kernel versions across the PowerPC fleet and compare against the patched commits 0479b6e9f999, cefeed4429626, and f88f8e4485b4
• Enable kernel auditing (auditd) rules covering open and read syscalls against the papr-hvpipe device node to surface anomalous access patterns
• Apply static analysis tools such as smatch or coccinelle in CI pipelines to flag copy_to_user() calls on partially initialized stack structures

Monitoring Recommendations

• Forward kernel audit logs and process telemetry from PowerPC hosts into a centralized logging or SIEM platform for correlation
• Track invocations of low-level PAPR hypervisor interfaces from non-root processes and alert on deviations from baseline
• Monitor kernel package update status and flag systems running kernel builds predating the upstream patch

How to Mitigate CVE-2026-46182

Immediate Actions Required

• Apply the upstream Linux kernel patches referenced in the commits 0479b6e9f999cc1cbad7d9f09f574fc387e605d5, cefeed44296261173a806bef988b26bc565da4be, and f88f8e4485b437e0a2f96a7ff1f88aa22d925659
• Inventory all PowerPC pSeries LPARs and prioritize patching systems exposing papr-hvpipe to multi-tenant or untrusted local users
• Restrict access to PAPR hypervisor pipe interfaces to trusted system accounts where the patch cannot be deployed immediately

Patch Information

The upstream fix initializes the entire struct papr_hvpipe_hdr to zero before assigning the version and flags fields, eliminating the leak of reserved[3] and reserved2[40] padding bytes. Patches are merged into the mainline and stable kernel trees. Refer to the kernel.org commit log for the canonical fix and distribution-specific backports.

Workarounds

• Disable the papr-hvpipe driver via kernel build configuration or module blacklist where the functionality is not required
• Tighten Discretionary Access Control (DAC) permissions on the papr-hvpipe device node to limit access to privileged accounts
• Apply Mandatory Access Control (MAC) policies through SELinux or AppArmor to confine processes that interact with the hypervisor pipe interface

# Example: blacklist the papr-hvpipe module until patched kernel is deployed
echo 'blacklist papr-hvpipe' | sudo tee /etc/modprobe.d/blacklist-papr-hvpipe.conf
sudo update-initramfs -u

# Verify kernel version after patching
uname -r