{
  "affected": [
    {
      "ranges": [
        {
          "events": [
            {
              "introduced": "75345f888f700c4ab2448287e35d48c760b202e6"
            },
            {
              "fixed": "14271b401ec6a4bf0d88054106fc2956084717e1"
            },
            {
              "fixed": "cccce3190ba4356432b9f22369b56123d3d89f0d"
            },
            {
              "fixed": "a44fbb631cba646532f3948636626f81717365a7"
            },
            {
              "fixed": "0653c0516234c8258975d268a749115fc0f0ff00"
            },
            {
              "fixed": "c5b1b92ab7eff1a6e8c507ddde6fd02fabd0cfa8"
            },
            {
              "fixed": "fbe0e6197225e6a83cf113a67a4b425f8de0bcd5"
            },
            {
              "fixed": "38bcc21f52246badb3154b6158dcb381d98de011"
            },
            {
              "fixed": "4b9e327991815e128ad3af75c3a04630a63ce3e0"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Linux",
        "name": "Kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.3.0"
            },
            {
              "fixed": "5.10.258"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "5.11.0"
            },
            {
              "fixed": "5.15.209"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "5.16.0"
            },
            {
              "fixed": "6.1.175"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.2.0"
            },
            {
              "fixed": "6.6.140"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.7.0"
            },
            {
              "fixed": "6.12.88"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.13.0"
            },
            {
              "fixed": "6.18.30"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.19.0"
            },
            {
              "fixed": "7.0.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "database_specific": {
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46132.json"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo\n\nrtnl_fill_vfinfo() declares struct ifla_vf_broadcast on the stack\nwithout initialisation:\n\n\tstruct ifla_vf_broadcast vf_broadcast;\n\nThe struct contains a single fixed 32-byte field:\n\n\t/* include/uapi/linux/if_link.h */\n\tstruct ifla_vf_broadcast {\n\t\t__u8 broadcast[32];\n\t};\n\nThe function then copies dev-\u003ebroadcast into it using dev-\u003eaddr_len\nas the length:\n\n\tmemcpy(vf_broadcast.broadcast, dev-\u003ebroadcast, dev-\u003eaddr_len);\n\nOn Ethernet devices (the overwhelming majority of SR-IOV NICs)\ndev-\u003eaddr_len is 6, so only the first 6 bytes of broadcast[] are\nwritten. The remaining 26 bytes retain whatever was previously on\nthe kernel stack. The full struct is then handed to userspace via:\n\n\tnla_put(skb, IFLA_VF_BROADCAST,\n\t\tsizeof(vf_broadcast), \u0026vf_broadcast)\n\nleaking up to 26 bytes of uninitialised kernel stack per VF per\nRTM_GETLINK request, repeatable.\n\nThe other vf_* structs in the same function are explicitly zeroed\nfor exactly this reason - see the memset() calls for ivi,\nvf_vlan_info, node_guid and port_guid a few lines above.\nvf_broadcast was simply missed when it was added.\n\nReachability: any unprivileged local process can open AF_NETLINK /\nNETLINK_ROUTE without capabilities and send RTM_GETLINK with an\nIFLA_EXT_MASK attribute carrying RTEXT_FILTER_VF. The kernel walks\neach VF and emits IFLA_VF_BROADCAST, leaking 26 bytes of stack per\nVF per request. Stack residue at this call site can include return\naddresses and transient sensitive data; KASAN with stack\ninstrumentation, or KMSAN, will flag the nla_put() when reproduced.\n\nZero the on-stack struct before the partial memcpy, matching the\nexisting pattern used for the other vf_* structs in the same\nfunction.",
  "id": "CVE-2026-46132",
  "modified": "2026-07-08T05:37:45.891685210Z",
  "published": "2026-05-28T09:35:47.047Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0653c0516234c8258975d268a749115fc0f0ff00"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/14271b401ec6a4bf0d88054106fc2956084717e1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/38bcc21f52246badb3154b6158dcb381d98de011"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4b9e327991815e128ad3af75c3a04630a63ce3e0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a44fbb631cba646532f3948636626f81717365a7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c5b1b92ab7eff1a6e8c507ddde6fd02fabd0cfa8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cccce3190ba4356432b9f22369b56123d3d89f0d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fbe0e6197225e6a83cf113a67a4b425f8de0bcd5"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46132.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46132"
    },
    {
      "type": "PACKAGE",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"
    }
  ],
  "schema_version": "1.7.5",
  "summary": "net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo"
}