{ "threat_severity" : "Moderate", "public_date" : "2026-02-14T00:00:00Z", "bugzilla" : { "description" : "kernel: Linux kernel: Information disclosure in efivarfs via incorrect error propagation", "id" : "2439951", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2439951" }, "cvss3" : { "cvss3_base_score" : "7.3", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H", "status" : "verified" }, "cwe" : "CWE-390", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nefivarfs: fix error propagation in efivar_entry_get()\nefivar_entry_get() always returns success even if the underlying\n__efivar_entry_get() fails, masking errors.\nThis may result in uninitialized heap memory being copied to userspace\nin the efivarfs_file_read() path.\nFix it by returning the error from __efivar_entry_get().", "A flaw was found in the efivarfs component of the Linux kernel. This vulnerability, an information disclosure issue, arises from incorrect error handling in the efivar_entry_get function. An unprivileged local attacker can exploit this by reading from efivarfs, potentially causing uninitialized kernel memory to be copied to userspace. This could allow the attacker to obtain sensitive kernel memory contents, which may aid in bypassing security mitigations." ], "statement" : "A local information disclosure issue exists in efivarfs due to incorrect error propagation in efivar_entry_get. The wrapper efivar_entry_get called __efivar_entry_get to retrieve EFI variable data but always returned success 0 even when the underlying function failed. This causes callers to treat the output buffers attributes size and data as valid even though the read may not have completed. In the efivarfs file read path efivarfs_file_read this can result in copying an uninitialized or partially initialized kernel heap buffer to userspace. An unprivileged local attacker who can read from efivarfs can potentially obtain kernel memory contents. Such leaks can expose sensitive information and may be useful to bypass mitigations such as KASLR in combination with other vulnerabilities.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2026-03-09T00:00:00Z", "advisory" : "RHSA-2026:4012", "cpe" : "cpe:/o:redhat:enterprise_linux:10.1", "package" : "kernel-0:6.12.0-124.43.1.el10_1" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-23156\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23156\nhttps://lore.kernel.org/linux-cve-announce/2026021416-CVE-2026-23156-b2f4@gregkh/T" ], "name" : "CVE-2026-23156", "csaw" : false }