CVE-2026-45930
Description
In the Linux kernel, the following vulnerability has been resolved:
net: mctp: ensure our nlmsg responses are initialised
Syed Faraz Abrar (@farazsth98) from Zellic, and Pumpkin (@u1f383) from DEVCORE Research Team working with Trend Micro Zero Day Initiative report that a RTM_GETNEIGH will return uninitalised data in the pad bytes of the ndmsg data.
Ensure we're initialising the netlink data to zero, in the link, addr and neigh response messages.
Affected products
1Patches
4a6a9bc544b67net: mctp: ensure our nlmsg responses are initialised
3 files changed · +3 −1
net/mctp/device.c+1 −0 modifieddiff --git a/net/mctp/device.c b/net/mctp/device.c index 4d404edd7446e1..04c5570bacff69 100644 --- a/net/mctp/device.c +++ b/net/mctp/device.c @@ -70,6 +70,7 @@ static int mctp_fill_addrinfo(struct sk_buff *skb, return -EMSGSIZE; hdr = nlmsg_data(nlh); + memset(hdr, 0, sizeof(*hdr)); hdr->ifa_family = AF_MCTP; hdr->ifa_prefixlen = 0; hdr->ifa_flags = 0;
net/mctp/neigh.c+1 −0 modifieddiff --git a/net/mctp/neigh.c b/net/mctp/neigh.c index 05b899f22d902b..fc85f0e6930143 100644 --- a/net/mctp/neigh.c +++ b/net/mctp/neigh.c @@ -218,6 +218,7 @@ static int mctp_fill_neigh(struct sk_buff *skb, u32 portid, u32 seq, int event, return -EMSGSIZE; hdr = nlmsg_data(nlh); + memset(hdr, 0, sizeof(*hdr)); hdr->ndm_family = AF_MCTP; hdr->ndm_ifindex = dev->ifindex; hdr->ndm_state = 0; // TODO other state bits?
net/mctp/route.c+1 −1 modifieddiff --git a/net/mctp/route.c b/net/mctp/route.c index 2ac4011a953fff..ecbbe4beb2133b 100644 --- a/net/mctp/route.c +++ b/net/mctp/route.c @@ -1643,6 +1643,7 @@ static int mctp_fill_rtinfo(struct sk_buff *skb, struct mctp_route *rt, return -EMSGSIZE; hdr = nlmsg_data(nlh); + memset(hdr, 0, sizeof(*hdr)); hdr->rtm_family = AF_MCTP; /* we use the _len fields as a number of EIDs, rather than -- cgit 1.3-korg
6fb6a97c86abnet: mctp: ensure our nlmsg responses are initialised
3 files changed · +3 −1
net/mctp/device.c+1 −0 modifieddiff --git a/net/mctp/device.c b/net/mctp/device.c index 4d404edd7446e1..04c5570bacff69 100644 --- a/net/mctp/device.c +++ b/net/mctp/device.c @@ -70,6 +70,7 @@ static int mctp_fill_addrinfo(struct sk_buff *skb, return -EMSGSIZE; hdr = nlmsg_data(nlh); + memset(hdr, 0, sizeof(*hdr)); hdr->ifa_family = AF_MCTP; hdr->ifa_prefixlen = 0; hdr->ifa_flags = 0;
net/mctp/neigh.c+1 −0 modifieddiff --git a/net/mctp/neigh.c b/net/mctp/neigh.c index 05b899f22d902b..fc85f0e6930143 100644 --- a/net/mctp/neigh.c +++ b/net/mctp/neigh.c @@ -218,6 +218,7 @@ static int mctp_fill_neigh(struct sk_buff *skb, u32 portid, u32 seq, int event, return -EMSGSIZE; hdr = nlmsg_data(nlh); + memset(hdr, 0, sizeof(*hdr)); hdr->ndm_family = AF_MCTP; hdr->ndm_ifindex = dev->ifindex; hdr->ndm_state = 0; // TODO other state bits?
net/mctp/route.c+1 −1 modifieddiff --git a/net/mctp/route.c b/net/mctp/route.c index 2ac4011a953fff..ecbbe4beb2133b 100644 --- a/net/mctp/route.c +++ b/net/mctp/route.c @@ -1643,6 +1643,7 @@ static int mctp_fill_rtinfo(struct sk_buff *skb, struct mctp_route *rt, return -EMSGSIZE; hdr = nlmsg_data(nlh); + memset(hdr, 0, sizeof(*hdr)); hdr->rtm_family = AF_MCTP; /* we use the _len fields as a number of EIDs, rather than -- cgit 1.3-korg
a6a9bc544b67net: mctp: ensure our nlmsg responses are initialised
3 files changed · +3 −1
net/mctp/device.c+1 −0 modifieddiff --git a/net/mctp/device.c b/net/mctp/device.c index 4d404edd7446e1..04c5570bacff69 100644 --- a/net/mctp/device.c +++ b/net/mctp/device.c @@ -70,6 +70,7 @@ static int mctp_fill_addrinfo(struct sk_buff *skb, return -EMSGSIZE; hdr = nlmsg_data(nlh); + memset(hdr, 0, sizeof(*hdr)); hdr->ifa_family = AF_MCTP; hdr->ifa_prefixlen = 0; hdr->ifa_flags = 0;
net/mctp/neigh.c+1 −0 modifieddiff --git a/net/mctp/neigh.c b/net/mctp/neigh.c index 05b899f22d902b..fc85f0e6930143 100644 --- a/net/mctp/neigh.c +++ b/net/mctp/neigh.c @@ -218,6 +218,7 @@ static int mctp_fill_neigh(struct sk_buff *skb, u32 portid, u32 seq, int event, return -EMSGSIZE; hdr = nlmsg_data(nlh); + memset(hdr, 0, sizeof(*hdr)); hdr->ndm_family = AF_MCTP; hdr->ndm_ifindex = dev->ifindex; hdr->ndm_state = 0; // TODO other state bits?
net/mctp/route.c+1 −1 modifieddiff --git a/net/mctp/route.c b/net/mctp/route.c index 2ac4011a953fff..ecbbe4beb2133b 100644 --- a/net/mctp/route.c +++ b/net/mctp/route.c @@ -1643,6 +1643,7 @@ static int mctp_fill_rtinfo(struct sk_buff *skb, struct mctp_route *rt, return -EMSGSIZE; hdr = nlmsg_data(nlh); + memset(hdr, 0, sizeof(*hdr)); hdr->rtm_family = AF_MCTP; /* we use the _len fields as a number of EIDs, rather than -- cgit 1.3-korg
6fb6a97c86abnet: mctp: ensure our nlmsg responses are initialised
3 files changed · +3 −1
net/mctp/device.c+1 −0 modifieddiff --git a/net/mctp/device.c b/net/mctp/device.c index 4d404edd7446e1..04c5570bacff69 100644 --- a/net/mctp/device.c +++ b/net/mctp/device.c @@ -70,6 +70,7 @@ static int mctp_fill_addrinfo(struct sk_buff *skb, return -EMSGSIZE; hdr = nlmsg_data(nlh); + memset(hdr, 0, sizeof(*hdr)); hdr->ifa_family = AF_MCTP; hdr->ifa_prefixlen = 0; hdr->ifa_flags = 0;
net/mctp/neigh.c+1 −0 modifieddiff --git a/net/mctp/neigh.c b/net/mctp/neigh.c index 05b899f22d902b..fc85f0e6930143 100644 --- a/net/mctp/neigh.c +++ b/net/mctp/neigh.c @@ -218,6 +218,7 @@ static int mctp_fill_neigh(struct sk_buff *skb, u32 portid, u32 seq, int event, return -EMSGSIZE; hdr = nlmsg_data(nlh); + memset(hdr, 0, sizeof(*hdr)); hdr->ndm_family = AF_MCTP; hdr->ndm_ifindex = dev->ifindex; hdr->ndm_state = 0; // TODO other state bits?
net/mctp/route.c+1 −1 modifieddiff --git a/net/mctp/route.c b/net/mctp/route.c index 2ac4011a953fff..ecbbe4beb2133b 100644 --- a/net/mctp/route.c +++ b/net/mctp/route.c @@ -1643,6 +1643,7 @@ static int mctp_fill_rtinfo(struct sk_buff *skb, struct mctp_route *rt, return -EMSGSIZE; hdr = nlmsg_data(nlh); + memset(hdr, 0, sizeof(*hdr)); hdr->rtm_family = AF_MCTP; /* we use the _len fields as a number of EIDs, rather than -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"Missing zero-initialization of netlink message header structures in MCTP response handlers allows uninitialized stack/heap data to leak through pad bytes."
Attack vector
An unprivileged local attacker sends a RTM_GETNEIGH, RTM_GETROUTE, or RTM_GETADDR netlink request to the MCTP subsystem. The kernel constructs a response using nlmsg_data() without zeroing the returned header structure, leaving pad bytes and unset fields filled with whatever data was previously in that memory. When the response is delivered back to userspace, the uninitialized bytes are copied out, leaking kernel memory contents. No special privileges beyond netlink socket access are required.
Affected code
The vulnerability exists in three files under net/mctp/: route.c (function mctp_fill_rtinfo), device.c (function mctp_fill_addrinfo), and neigh.c (function mctp_fill_neigh). In each function, the netlink message header obtained via nlmsg_data() was not zero-initialized before individual fields were assigned [patch_id=2661242][patch_id=2661243][patch_id=2661240][patch_id=2661241].
What the fix does
The patch adds a `memset(hdr, 0, sizeof(*hdr))` call immediately after `nlmsg_data(nlh)` in three functions: `mctp_fill_rtinfo` (route.c), `mctp_fill_addrinfo` (device.c), and `mctp_fill_neigh` (neigh.c) [patch_id=2661242][patch_id=2661243][patch_id=2661240][patch_id=2661241]. This ensures all bytes of the netlink message header, including any implicit padding between struct fields, are zeroed before individual fields are assigned. Previously only specific fields like `rtm_family`, `ifa_family`, or `ndm_family` were set, leaving the rest of the structure uninitialized.
Preconditions
- networkAttacker must be able to send netlink messages (AF_NETLINK sockets) to the MCTP subsystem
- authNo special privileges required beyond netlink socket access
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.