CVE-2026-52937
MediumCVSS 5.5Exploitation Probability (EPSS)
Low risk2th percentile - higher than 2% of all known CVEs
Summary
In the Linux kernel, a stack info leak was found in the tap driver via the SIOCGIFHWADDR ioctl. The tap_ioctl() function copies 16 bytes of an uninitialized sockaddr_storage structure to userspace, while netif_get_mac_address() only writes 6 bytes of the MAC address, leaving 8 bytes uninitialized. These 8 bytes may leak sensitive kernel data, including pointers, defeating KASLR.
Risk Assessment
The kernel stack leak can expose confidential information, such as kernel memory addresses, facilitating attacks that require knowledge of memory layout, like system compromise. The vulnerability affects macvtap interfaces and can be exploited locally by an unprivileged user.
Recommendation
Immediately update the Linux kernel to a version containing the fix that initializes the sockaddr_storage structure before use. For production systems, apply the security patch from your distributor.
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: tap: fix stack info leak in tap_ioctl() SIOCGIFHWADDR In the SIOCGIFHWADDR path, tap_ioctl() copies 16 bytes of an uninitialised on-stack struct sockaddr_storage to userspace via ifr_hwaddr, but netif_get_mac_address() only writes sa_family and dev->addr_len (6 for Ethernet) bytes, leaving sa_data[6..13] uninitialised. Those 8 trailing bytes leak kernel stack contents; SIOCGIFHWADDR on a macvtap chardev returns kernel .text and direct-map pointers, defeating KASLR. Initialise ss at declaration.

