{"id":"CVE-2026-23384","summary":"RDMA/ionic: Fix kernel stack leak in ionic_create_cq()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/ionic: Fix kernel stack leak in ionic_create_cq()\n\nstruct ionic_cq_resp resp {\n    __u32 cqid[2];         // offset 0 - PARTIALLY SET (see below)\n    __u8  udma_mask;       // offset 8 - SET (resp.udma_mask = vcq-\u003eudma_mask)\n    __u8  rsvd[7];         // offset 9 - NEVER SET \u003c- LEAK\n};\n\nrsvd[7]: 7 bytes of stack memory leaked unconditionally.\n\ncqid[2]: The loop at line 1256 iterates over udma_idx but skips indices\nwhere !(vcq-\u003eudma_mask & BIT(udma_idx)). The array has 2 entries but\nudma_count could be 1, meaning cqid[1] might never be written via\nionic_create_cq_common(). If udma_mask only has bit 0 set, cqid[1] (4\nbytes) is also leaked. So potentially 11 bytes leaked.","modified":"2026-04-02T13:12:23.060442Z","published":"2026-03-25T10:28:02.818Z","database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23384.json"},"references":[{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"},{"type":"WEB","url":"https://git.kernel.org/stable/c/547d0b07ad73915b323bc21f85c5d3252bebbbcf"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a6f3e0fa8e862f220c26c2f27e5ddc42eb82ad3e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/faa72102b178c7ae6c6afea23879e7c84fc59b4e"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23384.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23384"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"e8521822c733c6deab0f339843cd37cd62c12795"},{"fixed":"a6f3e0fa8e862f220c26c2f27e5ddc42eb82ad3e"},{"fixed":"547d0b07ad73915b323bc21f85c5d3252bebbbcf"},{"fixed":"faa72102b178c7ae6c6afea23879e7c84fc59b4e"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23384.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.18.0"},{"fixed":"6.18.17"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"6.19.7"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23384.json"}}],"schema_version":"1.7.5"}