HIGH
efivarfs Entry InfoLeak
CVE-2026-23156
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI5.5MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: efivarfs: fix error propagation in efivar_entry_get() efivar_entry_get() always returns success even if the underlying __efivar_entry_get() fails, masking errors. This may result in uninitialized heap memory being copied to userspace in the efivarfs_file_read() path. Fix it by returning the error from __efivar_entry_get().
02KernelScan AI Analysis
Risk summary
Local users with low privileges can read uninitialized kernel heap memory through the efivarfs filesystem when EFI variable reads fail. This exposes sensitive kernel memory contents that could contain cryptographic keys, addresses, or other confidential data to userspace processes.
Vulnerability analysis
The root cause is in efivar_entry_get() which always returns 0 (success) even when the underlying __efivar_entry_get() fails to read an EFI variable. When __efivar_entry_get() fails, the output buffer remains uninitialized but efivarfs_file_read() proceeds to copy this uninitialized heap memory to userspace because the error is masked. The fix changes the return statement from 'return 0;' to 'return err;' to properly propagate the error, preventing the copy of uninitialized data when variable reads fail. This is a local vulnerability requiring access to the efivarfs filesystem, typically mounted at /sys/firmware/efi/efivars.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.1 | 6.1.162 | 3960f1754664 |
| 6.12 | 6.12.69 | 89b8ca709eee |
| 6.18 | 6.18.9 | e4e15a0a4403 |
| 6.6 | 6.6.123 | 510a16f1c5c1 |
| mainline | 6.19 | 4b22ec1685ce |