Skip to main content

Linux Kernel CVE-2026-46109

| EUVDEUVD-2026-32868 MEDIUM
Memory Leak (CWE-401)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-q7hg-qx63-q53r
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local access and low privilege required to reach USB ULPI registration paths; no confidentiality or integrity impact, only gradual availability degradation via memory exhaustion.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 24, 2026 - 20:53 vuln.today
CVSS changed
Jun 24, 2026 - 18:37 NVD
5.5 (MEDIUM)
Patch available
May 28, 2026 - 12:31 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
MEDIUM 5.5
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

usb: ulpi: fix memory leak on ulpi_register() error paths

Commit 01af542392b5 ("usb: ulpi: fix double free in ulpi_register_interface() error path") removed kfree(ulpi) from ulpi_register_interface() to fix a double-free when device_register() fails.

But when ulpi_of_register() or ulpi_read_id() fail before device_register() is called, the ulpi allocation is leaked.

Add kfree(ulpi) on both error paths to properly clean up the allocation.

AnalysisAI

Memory leak in the Linux kernel USB ULPI subsystem allows a local low-privilege attacker to gradually exhaust kernel memory by repeatedly triggering registration failures in the ulpi_register() function. A prior fix for a double-free (commit 01af542392b5) removed the kfree(ulpi) call on the device_register() failure path but inadvertently left the allocation unreleased when ulpi_of_register() or ulpi_read_id() fail before device_register() is ever reached. No public exploit exists and EPSS is 0.02%, indicating minimal real-world exploitation pressure; however, patched kernel stable releases are available across all supported branches.

Technical ContextAI

ULPI (UTMI+ Low Pin Interface) is a PHY interface protocol used for USB 2.0 high-speed OTG transactions, commonly found in embedded and mobile Linux systems. The vulnerable code resides in drivers/usb/common/ulpi.c within the ulpi_register() function. CWE-401 (Missing Release of Memory after Effective Lifetime) is the root cause: the struct ulpi object is allocated early in ulpi_register(), but two early-exit error paths - when ulpi_of_register() and ulpi_read_id() return failure - exit the function without ever calling kfree(ulpi). This was not present in the original code but was introduced as a side effect of commit 01af542392b5, which removed a kfree(ulpi) to fix a double-free on the device_register() failure path. The fix adds kfree(ulpi) on the two pre-device-register error paths only, restoring proper cleanup without reintroducing the double-free. All affected versions span CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* across multiple stable branches.

RemediationAI

Upgrade to a patched Linux kernel stable release: 6.6.140, 6.12.88, 6.18.30, 7.0.7, or 7.1-rc3 depending on the branch in use. Specific fix commits are available at https://git.kernel.org/stable/c/2a71e01b2cf9b4329ff67102c1bea7448c2a2d2d, https://git.kernel.org/stable/c/0b9fcab1b8608d429e5f239afb197de928d4de7d, https://git.kernel.org/stable/c/b0c0d44adb55c66663886cb6e30ee92cbb0f5385, https://git.kernel.org/stable/c/be2c1d825f54277472c87019e82013ac534ddc4c, and https://git.kernel.org/stable/c/f30ccfc2985590b33a23a3d8bed7ca16c0af551b. Distribution maintainers (Debian, Ubuntu, RHEL, SUSE) should be monitored for backported stable packages. If patching is not immediately feasible on embedded systems with ULPI hardware, restrict physical and logical access to USB interfaces to prevent low-privilege users from triggering repeated registration failure events - this reduces accumulation rate but does not eliminate the leak if ULPI devices are in legitimate use. There is no meaningful integrity or confidentiality trade-off to these controls.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected

Share

CVE-2026-46109 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy