HIGH
rnbd Response Leak
CVE-2026-43184
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
KernelScan AI5.3MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: rnbd-srv: Zero the rsp buffer before using it Before using the data buffer to send back the response message, zero it completely. This prevents any stray bytes to be picked up by the client side when there the message is exchanged between different protocol versions.
02KernelScan AI Analysis
Risk summary
RNBD server leaks uninitialized kernel memory to network clients through response messages. Any client connecting to an RNBD service can receive kernel memory contents, potentially exposing sensitive information like kernel pointers or data from previous operations.
Vulnerability analysis
The RNBD server fails to zero response buffers before populating them with protocol data. When response structures contain padding bytes or unused fields, uninitialized kernel memory is transmitted to clients over the network. The fix adds memset() calls to zero the entire response structures before use, ensuring no stray kernel data is leaked. This affects the open response and session info response message handlers.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.252 | e4272754063d |
| 5.15 | 5.15.202 | e2cacec7d429 |
| 6.1 | 6.1.165 | b646e54d23b9 |
| 6.12 | 6.12.75 | 7aac0a30dcf4 |
| 6.18 | 6.18.16 | c94ede3c436d |
| 6.19 | 6.19.6 | 852475278ca5 |
| 6.6 | 6.6.128 | 30868a6a5238 |
| mainline | 7.0 | 69d26698e4fd |