CVE-2026-46182: Linux Kernel PAPR Hypervisor Pipe Information Disclosure Vulnerability
A vulnerability in the Linux kernel's IBM POWER Systems (pseries) PAPR hypervisor pipe driver allows uninitialized kernel memory to be exposed to unprivileged users. When the driver copies a header structure to userspace, it fails to zero out reserved padding fields within that structure, inadvertently leaking sensitive kernel data. An attacker with local access could read this leaked memory to potentially gather information about the running kernel state.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-401
- Affected products
- 3 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: pseries/papr-hvpipe: Prevent kernel stack memory leak to userspace The hdr variable is allocated on the stack and only hdr.version and hdr.flags are initialized explicitly. Because the struct papr_hvpipe_hdr contains reserved padding bytes (reserved[3] and reserved2[40]), these could leak the uninitialized bytes to userspace after copy_to_user(). This patch fixes that by initializing the whole struct to 0.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-46182 is a kernel information disclosure vulnerability in the pseries/papr-hvpipe driver. The vulnerability stems from incomplete initialization of a stack-allocated struct papr_hvpipe_hdr before it is copied to userspace via copy_to_user(). While the driver explicitly initializes the version and flags fields, the reserved padding bytes (reserved[3] and reserved2[40]) remain uninitialized and containing arbitrary kernel stack data. This uninitialized kernel memory is then exposed to userspace, violating confidentiality. The fix is straightforward: zero-initialize the entire structure before use to ensure no stale kernel data leaks through the padding.
Business impact
This information disclosure poses a moderate risk to systems running vulnerable Linux kernels on IBM POWER Systems hardware. Attackers with local user access can extract uninitialized kernel memory, which may contain sensitive data such as cryptographic keys, heap pointers for exploit development, or other kernel state information. While the vulnerability requires local access and does not directly enable privilege escalation or denial of service on its own, the leaked information could facilitate subsequent attacks. Organizations running POWER-based infrastructure (including IBM Power10, Power9, or virtualized environments) should treat this as a targeted concern requiring prompt remediation.
Affected systems
This vulnerability affects the Linux kernel on IBM POWER Systems (pseries architecture). It specifically impacts the papr-hvpipe (PAPR Hypervisor Pipe) driver, which is used for communication with the hypervisor on POWER-based systems. Any Linux distribution running on POWER Systems hardware with an affected kernel version is at risk. Server virtualization platforms and cloud deployments using POWER Systems architecture are in scope. Desktop or x86/ARM systems are not affected. Exact affected kernel versions should be verified against the Linux kernel security advisories and your distribution's patch tracking system.
Exploitability
Exploitation requires local access to the affected system, placing this in the 'low to moderate' exploitability category for most environments. The attack is trivial from a technical perspective—reading from the vulnerable driver requires no special kernel exploit techniques or race conditions. An unprivileged local user can trigger the information leak through normal driver interactions. However, practical impact depends on what kernel data happens to reside on the stack at the time of the copy, making the usefulness of each leak somewhat variable. This is not remotely exploitable and does not require kernel-level privileges, only user-level access.
Remediation
Apply the kernel patch that initializes the papr_hvpipe_hdr structure to zero before the copy_to_user() operation. This patch has been merged into the Linux kernel source tree. Affected users should update their kernel to a patched version. Check with your Linux distribution (Red Hat, SUSE, Canonical, or other POWER-aware vendors) for official kernel updates, as they typically backport security fixes to their supported kernel branches. Systems running unsupported or custom kernel versions should apply the upstream patch directly or upgrade to a supported distribution release with the fix applied.
Patch guidance
Obtain the patched kernel from your distribution's security update channel. For Red Hat Enterprise Linux and derivatives, check for kernel-devel and kernel package updates addressing CVE-2026-46182. For Ubuntu and Canonical systems, check Livepatch or standard kernel package updates. For SUSE and openSUSE, consult the SUSE Security Advisory associated with this CVE. Apply the patch and reboot the affected systems at your earliest convenience. Verify post-patch kernel version against the advisory to confirm the fix is in place. For custom or non-distribution kernels, obtain the fix from the upstream Linux kernel repository and apply it to your kernel source tree before rebuilding.
Detection guidance
Detection at runtime is difficult because the vulnerability is a silent information leak with no error messages or system-level indicators. Kernel-level auditing may log copy_to_user() calls from the papr-hvpipe driver, but this will not distinguish vulnerable from patched versions. The most practical detection approach is asset inventory verification: scan systems for kernel versions and POWER processor architecture, then cross-reference against the affected version ranges published by your distribution. Privileged monitoring of driver ioctl calls or sysfs exports from papr-hvpipe could provide heuristic signals in mature environments. Code review and static analysis of the driver source can confirm whether the vulnerability is present in a given kernel build.
Why prioritize this
While this vulnerability carries a MEDIUM CVSS score, it should not be treated as low-urgency. Information disclosure on POWER Systems infrastructure can facilitate sophisticated attacks. Prioritize this for systems that (1) run POWER architecture, (2) host sensitive workloads, (3) have untrusted local users, or (4) are in regulated industries requiring strict data confidentiality. For organizations without POWER Systems infrastructure, this is not relevant. For those with POWER deployments, include it in your next kernel patching cycle, ideally within 30-60 days depending on change management policies.
Risk score, explained
The CVSS v3.1 score of 5.5 (MEDIUM) reflects: Attack Vector Local (the attacker must be on the system), Attack Complexity Low (no special conditions required), Privileges Required Low (unprivileged user access is sufficient), User Interaction None, Scope Unchanged (impact is confined to the affected system), and Confidentiality Impact High (sensitive kernel memory is exposed). Integrity and Availability are rated as None because the vulnerability does not modify data or cause denial of service. The score appropriately reflects a localized information disclosure that is straightforward to exploit but limited in scope. Organizations with robust local access controls and low tolerance for information leaks may treat this as higher priority than the numerical score suggests.
Frequently asked questions
Does this vulnerability affect systems without IBM POWER processors?
No. This vulnerability is specific to the IBM POWER Systems architecture (pseries) and the papr-hvpipe hypervisor interface driver. x86, ARM, and other architectures are unaffected. If your infrastructure runs only on mainstream x86 or cloud VM hypervisors, you can deprioritize this CVE.
Can this be exploited remotely or without local user access?
No. The vulnerability requires local user access to the affected system. Remote exploitation is not possible because the vulnerable driver interface is not network-exposed. If you can restrict local user access through account provisioning policies, you reduce exposure, but patching remains the recommended fix.
What type of kernel data could be leaked?
The leaked data comes from uninitialized kernel stack memory, which may contain fragments of previous function calls, local variables, pointers, or other transient kernel state. The exact content is unpredictable and depends on system activity at the time of the leak. An attacker may need to perform multiple queries to gather useful information, but sensitive data like cryptographic keys or ASLR bypass information could theoretically be present.
Is there a workaround if I cannot patch immediately?
The most effective workaround is to restrict local user access to the system or disable the papr-hvpipe driver if it is not actively used. However, these mitigations are not practical for production systems. Patching is the recommended solution. If your system is air-gapped or has strong access controls, risk may be tolerable for a short grace period, but prioritize patching within your normal maintenance window.
This analysis is provided for informational purposes. Verify all patch versions, affected kernel releases, and remediation steps against official advisories from your Linux distribution, the Linux kernel security team, and IBM. The information contained herein is current as of the publication date but may be subject to updates. Always perform testing in a non-production environment before applying patches to production systems. SEC.co makes no warranty regarding the completeness or accuracy of remediation timelines or vendor statements referenced herein. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-46109MEDIUMLinux Kernel USB ULPI Memory Leak – CVSS 5.5 Medium
- CVE-2026-46141MEDIUMPowerPC XIVE Memory Leak in MSI-X Interrupt Allocation
- CVE-2026-46143MEDIUMLinux QCOM Audio Driver Memory Leak – Availability Risk
- CVE-2026-46147MEDIUMLinux ARM64 KVM vCPU Initialization Pin Leak and Race Condition
- CVE-2026-46151MEDIUMLinux Kernel USB Printer Driver Heap Memory Leak
- CVE-2026-46171MEDIUMLinux RISC-V KVM Vector Context Memory Leak
- CVE-2026-46207MEDIUMLinux vsock/virtio Incomplete Payload Disclosure in Network Monitoring
- CVE-2026-46221MEDIUMLinux Kernel EDAC Versalnet Memory Leak Vulnerability