CVE-2026-23156

Advisory lineage Upstream: 0 Downstream: 21

Downstream

DEBIAN-CVE-2026-23156 MGASA-2026-0097 MGASA-2026-0098 OPENSUSE-SU-2026:20416-1 RHSA-2026:4012 RHSA-2026:9095

Analyzed

Published: 14 Feb 2026, 16:01

Last modified:11 May 2026, 22:01

Vulnerability Summary

Overall Risk (default)

medium

31/100

CVSS Score

7.8 HIGH

v3.1 (nvd)

EPSS Score

0.02% LOW

0% probability 0.00%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

14 Feb 2026, 16:01

Published

Vulnerability first disclosed

11 May 2026, 22:01

Last Modified

Vulnerability information updated

Description

In the Linux kernel, the following vulnerability has been resolved: efivarfs: fix error propagation in efivar_entry_get() efivar_entry_get() always returns success even if the underlying __efivar_entry_get() fails, masking errors. This may result in uninitialized heap memory being copied to userspace in the efivarfs_file_read() path. Fix it by returning the error from __efivar_entry_get().

CVSS Metrics

v3.1•HIGH•Score: 7.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Trends

Current EPSS score: 0.02%• Percentile: 5%

Affected Systems

linux•linux
≥ 2d82e6227ea189c0589e7383a36616ac2a2d248c, < 3960f1754664661a970dc9ebbab44ff93a0b4c42 | ≥ 2d82e6227ea189c0589e7383a36616ac2a2d248c, < 510a16f1c5c1690b33504052bc13fbc2772c23f8 | ≥ 2d82e6227ea189c0589e7383a36616ac2a2d248c, < 89b8ca709eeeabcc11ebba64806677873a2787a8 | ≥ 2d82e6227ea189c0589e7383a36616ac2a2d248c, < e4e15a0a4403c96d9898d8398f0640421df9cb16 | ≥ 2d82e6227ea189c0589e7383a36616ac2a2d248c, < 4b22ec1685ce1fc0d862dcda3225d852fb107995 | 6.0
linux•linux_kernel
≥ 6.0, < 6.1.162 | ≥ 6.2, < 6.6.123 | ≥ 6.7, < 6.12.69 | ≥ 6.13, < 6.18.9 | 6.19:rc1 | 6.19:rc2 | 6.19:rc3 | 6.19:rc4 | 6.19:rc5 | 6.19:rc6 | 6.19:rc7