CVE-2026-23156 in Linux
Summary
by MITRE • 02/14/2026
In the Linux kernel, the following vulnerability has been resolved:
efivarfs: fix error propagation in efivar_entry_get()
efivar_entry_get() always returns success even if the underlying __efivar_entry_get() fails, masking errors.
This may result in uninitialized heap memory being copied to userspace in the efivarfs_file_read() path.
Fix it by returning the error from __efivar_entry_get().
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 05/05/2026
The vulnerability identified as CVE-2026-23156 resides within the Linux kernel's efivarfs filesystem implementation, specifically affecting the efivar_entry_get() function that handles variable retrieval operations. This flaw represents a critical error propagation issue that undermines the integrity of the system's firmware variable handling mechanisms. The vulnerability manifests when the underlying __efivar_entry_get() function encounters an error during variable retrieval, yet the efivar_entry_get() wrapper function fails to properly propagate this error condition back to the caller. This design flaw creates a false positive scenario where the system reports successful completion of operations that actually failed internally, leading to potentially dangerous data exposure conditions.
The technical implementation of this vulnerability stems from improper error handling within the efivarfs subsystem which is responsible for exposing UEFI firmware variables through a virtual filesystem interface. When __efivar_entry_get() encounters failures such as invalid variable names, insufficient permissions, or corrupted firmware variable data, it correctly signals these errors internally but efivar_entry_get() ignores these error codes and returns a successful status indicator. This behavior creates a dangerous race condition where uninitialized memory segments from kernel heap allocations are inadvertently copied to userspace through the efivarfs_file_read() pathway, effectively leaking potentially sensitive kernel memory contents to unprivileged userspace processes.
The operational impact of this vulnerability extends beyond simple information disclosure, as it creates a potential attack vector for privilege escalation and system compromise. Attackers could exploit this flaw to extract uninitialized kernel memory contents, which may contain sensitive information such as cryptographic keys, passwords, or other confidential data stored in memory. The vulnerability affects systems running Linux kernels that implement efivarfs functionality, particularly those utilizing UEFI firmware variable interfaces. According to CWE classification, this represents a weakness in error handling and memory management (CWE-704), while the ATT&CK framework would categorize this under privilege escalation techniques (T1068) and information gathering (T1082) due to the potential for sensitive data exposure.
Mitigation strategies for CVE-2026-23156 require immediate kernel updates that properly propagate error codes from __efivar_entry_get() to efivar_entry_get() functions, ensuring that all error conditions are correctly handled and reported. System administrators should prioritize patching affected kernel versions and monitor for any unusual activity in efivarfs access patterns that might indicate exploitation attempts. Additional defensive measures include implementing proper access controls for efivarfs mount points, restricting userspace access to firmware variables, and deploying kernel module monitoring to detect unauthorized modifications to kernel memory structures. The fix implemented in the patched kernel versions ensures that error conditions from the underlying firmware variable retrieval mechanisms are properly communicated up the call stack, preventing the leakage of uninitialized memory contents to userspace processes.