Skip to main content

Linux Kernel CVE-2026-46151

| EUVDEUVD-2026-32778 MEDIUM
Memory Leak (CWE-401)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-589q-vfc2-j9cg
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
6.3 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 09, 2026 - 23:27 vuln.today
CVSS changed
Jun 09, 2026 - 21:07 NVD
5.5 (MEDIUM)
Patch available
May 28, 2026 - 12:01 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
MEDIUM 5.5
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

usb: usblp: fix heap leak in IEEE 1284 device ID via short response

usblp_ctrl_msg() collapses the usb_control_msg() return value to 0/-errno, discarding the actual number of bytes transferred. A broken printer can complete the GET_DEVICE_ID control transfer short and the driver has no way to know.

usblp_cache_device_id_string() reads the 2-byte big-endian length prefix from the response and trusts it (clamped only to the buffer bounds). The buffer is kmalloc(1024) at probe time. A device that sends exactly two bytes (e.g. 0x03 0xFF, claiming a 1023-byte ID) leaves device_id_string[2..1022] holding stale kmalloc heap.

That stale data is then exposed:

  • via the ieee1284_id sysfs attribute (sprintf("%s", buf+2), truncated

at the first NUL in the stale heap), and

  • via the IOCNR_GET_DEVICE_ID ioctl, which copy_to_user()s the full

claimed length regardless of NULs, up to 1021 bytes of uninitialized heap, with the leak size chosen by the device.

Fix this up by just zapping the buffer with zeros before each request sent to the device.

AnalysisAI

Heap memory disclosure in the Linux kernel usblp USB printer driver allows a local attacker with a malicious USB printer to expose up to 1021 bytes of uninitialized kmalloc heap to userspace. The driver's usblp_cache_device_id_string() blindly trusts a device-supplied 2-byte big-endian length prefix in the IEEE 1284 GET_DEVICE_ID response, leaking stale kernel heap contents via the ieee1284_id sysfs attribute and the IOCNR_GET_DEVICE_ID ioctl. No public exploit identified at time of analysis; EPSS is 0.02% (5th percentile) and the vulnerability is not listed in CISA KEV, but vendor patches are confirmed across multiple stable kernel branches.

Technical ContextAI

The vulnerability resides in drivers/usb/class/usblp.c, specifically the interaction between usblp_ctrl_msg() and usblp_cache_device_id_string(). During USB printer probing, a 1024-byte buffer is kmalloc'd and a USB control transfer (GET_DEVICE_ID per IEEE 1284) is issued. The bug is that usblp_ctrl_msg() collapses the usb_control_msg() return value to 0/-errno, discarding the actual byte count transferred. A printer (or malicious USB device) that sends only 2 bytes with an inflated length field (e.g., 0x03FF claiming 1023 bytes) leaves bytes 2-1022 holding stale heap data from prior allocations. The driver then exposes this stale content via sysfs and ioctl without bounds-checking against actual received data. CWE-401 (Missing Release of Memory after Effective Lifetime) is assigned, though CWE-908 (Use of Uninitialized Resource) and CWE-200 (Exposure of Sensitive Information to Unauthorized Actor) more precisely describe the actual disclosure impact. Affected CPE: cpe:2.3:o:linux:linux_kernel across a wide version range starting from the initial kernel git commit (1da177e4c3f4).

RemediationAI

Apply the vendor-released patches by upgrading to Linux kernel 6.6.140 or later on the 6.6.x stable branch, 6.12.88 or later on the 6.12.x stable branch, 6.18.30 or later on the 6.18.x stable branch, 7.0.7 or later on the 7.0.x stable branch, or 7.1-rc3 or later on mainline. Upstream fix commits are available at https://git.kernel.org/stable/c/522d17e93a85575256894212d10e5a1fa6f36529 and related commits listed in the references. For systems where immediate patching is not feasible, blacklist or unload the usblp kernel module using 'modprobe -r usblp' or by adding 'blacklist usblp' to /etc/modprobe.d/usblp-blacklist.conf - note this completely disables USB printer support. Alternatively, restrict physical USB port access to trusted devices using USB device authorization (echo 0 > /sys/bus/usb/devices/usbX/authorized_default) to prevent unauthorized USB printers from being enumerated. On systems with mandatory access control, tighten SELinux or AppArmor policies to deny unprivileged access to the ieee1284_id sysfs attribute and the IOCNR_GET_DEVICE_ID ioctl to limit data exfiltration even if a malicious device is connected.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected

Share

CVE-2026-46151 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy