GHSA-qhcg-6255-c538unknown

In the Linux kernel, the following vulnerability has been resolved: rseq: Fix using an...

Published
June 25, 2026
Last Modified
June 25, 2026

🔗 CVE IDs covered (1)

📋 Description

In the Linux kernel, the following vulnerability has been resolved:

rseq: Fix using an uninitialized stack variable in rseq_exit_user_update()

There is an bug in which an uninitialized stack variable is used in rseq_exit_user_update() as reported by syzbot:

BUG: KMSAN: kernel-infoleak in rseq_set_ids_get_csaddr include/linux/rseq_entry.h:502 [inline]

The local variable:

struct rseq_ids ids = {
	.cpu_id	 = task_cpu(t),
	.mm_cid	 = task_mm_cid(t),
	.node_id = cpu_to_node(ids.cpu_id),
};

According to the C standard, the evaluation order of expressions in an initializer list is indeterminately sequenced. The compiler (Clang, in this KMSAN build) evaluates cpu_to_node(ids.cpu_id) before ids.cpu_id is initialized with task_cpu(t).

This is fixed by moving the assignment of ids.node_id outside the structure initialization.

🔗 References (4)