{ "threat_severity" : "Low", "public_date" : "2026-01-25T00:00:00Z", "bugzilla" : { "description" : "kernel: block: zero non-PI portion of auto integrity buffer", "id" : "2432674", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2432674" }, "cvss3" : { "cvss3_base_score" : "4.7", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "draft" }, "cwe" : "CWE-908", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nblock: zero non-PI portion of auto integrity buffer\nThe auto-generated integrity buffer for writes needs to be fully\ninitialized before being passed to the underlying block device,\notherwise the uninitialized memory can be read back by userspace or\nanyone with physical access to the storage device. If protection\ninformation is generated, that portion of the integrity buffer is\nalready initialized. The integrity data is also zeroed if PI generation\nis disabled via sysfs or the PI tuple size is 0. However, this misses\nthe case where PI is generated and the PI tuple size is nonzero, but the\nmetadata size is larger than the PI tuple. In this case, the remainder\n(\"opaque\") of the metadata is left uninitialized.\nGeneralize the BLK_INTEGRITY_CSUM_NONE check to cover any case when the\nmetadata is larger than just the PI tuple.", "An information disclosure vulnerability was found in the Linux kernel's block layer integrity handling. When auto-generating integrity buffers for writes with protection information (PI) enabled, the non-PI portion of the metadata buffer is left uninitialized if the metadata size exceeds the PI tuple size. This uninitialized kernel memory can be read back by userspace or anyone with physical access to the storage device." ], "statement" : "This vulnerability allows kernel memory contents to leak to storage media and potentially be read back by userspace. It affects block devices with integrity/PI metadata where the metadata size is larger than the PI tuple. The information disclosure requires specific storage hardware configurations with extended metadata support and the ability to read back the written data.", "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-23007\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23007\nhttps://lore.kernel.org/linux-cve-announce/2026012536-CVE-2026-23007-38b1@gregkh/T" ], "name" : "CVE-2026-23007", "csaw" : false }