CVE-2026-43089

Vulnerability

In the Linux kernel's xfrm_user module, the build_mapping() function copies a struct xfrm_usersa_id to userspace without initializing the one-byte padding hole that exists after the proto field. This uninitialized padding can leak kernel stack memory to unprivileged userspace processes.

Exploitation

The vulnerability is reachable via netlink sockets (AF_NETLINK) by any process with CAP_NET_ADMIN capability. An attacker can craft a netlink message that triggers the XFRM_MSG_NEWSA or related operations, causing build_mapping() to be called. No additional authentication is required beyond the netlink socket permissions.

Impact

A local attacker can repeatedly trigger this info leak to read one byte of uninitialized kernel memory per call. Over multiple calls, this could be used to defeat kernel address space layout randomization (KASLR) or leak other sensitive kernel data.

Mitigation

The fix, which zeroes the entire struct xfrm_usersa_id before use, has been applied to the stable kernel trees [1][2][3][4]. Users should update to a patched kernel version.