In the Linux kernel, the following vulnerability has been resolved:

tap: fix stack info leak in tap_ioctl() SIOCGIFHWADDR

In the SIOCGIFHWADDR path, tap_ioctl() copies 16 bytes of an
uninitialised on-stack struct sockaddr_storage to userspace via
ifr_hwaddr, but netif_get_mac_address() only writes sa_family and
dev->addr_len (6 for Ethernet) bytes, leaving sa_data[6..13] uninitialised.

Those 8 trailing bytes leak kernel stack contents; SIOCGIFHWADDR on a
macvtap chardev returns kernel .text and direct-map pointers, defeating
KASLR.

Initialise ss at declaration.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00154.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions
Linux Linux unaffected
Version Status Constraints
3b23a32a63219f51a5298bc55a65ecee866e79d0 affected < 719007c3492f0f1f9e9cdbed8ac45ba45bb13eeb
3b23a32a63219f51a5298bc55a65ecee866e79d0 affected < 05305e832be7b9d65b2b72caacf7d850b3942b2a
3b23a32a63219f51a5298bc55a65ecee866e79d0 affected < bddc09212c24934643bd44fc794748d2bbb3b6cd
176188cff67ec1aa55103647b61d02315cc38e98 affected
1fc205d9e400f069ebf30d3faa6ec2bab2cbd7b4 affected
4d0ae760c02c98fc78b78d3a0509896bc648ad1c affected
5.4.103 affected < 5.5
5.10.21 affected < 5.11
5.11.4 affected < 5.12
Linux Linux affected
Version Status Constraints
5.12 affected
0 unaffected < 5.12
6.18.34 unaffected ≤ 6.18.*
7.0.11 unaffected ≤ 7.0.*
7.1 unaffected ≤ *

No data.

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors Products
Linux Subscribe
Linux Kernel Subscribe

Project Subscriptions

Vendors Products
Linux Subscribe
Linux Kernel Subscribe
Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References
Link Providers
https://git.kernel.org/stable/c/05305e832be7b9d65b2b72caacf7d850b3942b2a cve-icon
https://git.kernel.org/stable/c/719007c3492f0f1f9e9cdbed8ac45ba45bb13eeb cve-icon
https://git.kernel.org/stable/c/bddc09212c24934643bd44fc794748d2bbb3b6cd cve-icon
History

Wed, 24 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: tap: fix stack info leak in tap_ioctl() SIOCGIFHWADDR In the SIOCGIFHWADDR path, tap_ioctl() copies 16 bytes of an uninitialised on-stack struct sockaddr_storage to userspace via ifr_hwaddr, but netif_get_mac_address() only writes sa_family and dev->addr_len (6 for Ethernet) bytes, leaving sa_data[6..13] uninitialised. Those 8 trailing bytes leak kernel stack contents; SIOCGIFHWADDR on a macvtap chardev returns kernel .text and direct-map pointers, defeating KASLR. Initialise ss at declaration.
Title tap: fix stack info leak in tap_ioctl() SIOCGIFHWADDR
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T07:14:27.305Z

Reserved: 2026-06-09T07:44:35.370Z

Link: CVE-2026-52937

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T12:00:05Z

Weaknesses

No weakness.