{
  "affected": [
    {
      "ranges": [
        {
          "events": [
            {
              "introduced": "e8521822c733c6deab0f339843cd37cd62c12795"
            },
            {
              "fixed": "a6f3e0fa8e862f220c26c2f27e5ddc42eb82ad3e"
            },
            {
              "fixed": "547d0b07ad73915b323bc21f85c5d3252bebbbcf"
            },
            {
              "fixed": "faa72102b178c7ae6c6afea23879e7c84fc59b4e"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Linux",
        "name": "Kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.18.0"
            },
            {
              "fixed": "6.18.17"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.19.0"
            },
            {
              "fixed": "6.19.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "database_specific": {
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23384.json"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/ionic: Fix kernel stack leak in ionic_create_cq()\n\nstruct ionic_cq_resp resp {\n    __u32 cqid[2];         // offset 0 - PARTIALLY SET (see below)\n    __u8  udma_mask;       // offset 8 - SET (resp.udma_mask = vcq-\u003eudma_mask)\n    __u8  rsvd[7];         // offset 9 - NEVER SET \u003c- LEAK\n};\n\nrsvd[7]: 7 bytes of stack memory leaked unconditionally.\n\ncqid[2]: The loop at line 1256 iterates over udma_idx but skips indices\nwhere !(vcq-\u003eudma_mask \u0026 BIT(udma_idx)). The array has 2 entries but\nudma_count could be 1, meaning cqid[1] might never be written via\nionic_create_cq_common(). If udma_mask only has bit 0 set, cqid[1] (4\nbytes) is also leaked. So potentially 11 bytes leaked.",
  "id": "CVE-2026-23384",
  "modified": "2026-04-01T23:10:20.617310172Z",
  "published": "2026-03-25T10:28:02.818Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/547d0b07ad73915b323bc21f85c5d3252bebbbcf"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a6f3e0fa8e862f220c26c2f27e5ddc42eb82ad3e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/faa72102b178c7ae6c6afea23879e7c84fc59b4e"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23384.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23384"
    }
  ],
  "schema_version": "1.7.3",
  "summary": "RDMA/ionic: Fix kernel stack leak in ionic_create_cq()"
}