Skip to main content

Linux Kernel CVE-2026-46283

| EUVDEUVD-2026-35148 MEDIUM
2026-06-08 Linux GHSA-c745-g7j9-cpw5
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
4.7 MEDIUM

Local access and a chained memory-read primitive are required; actual impact is confidentiality of TPM key material, not availability.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 08, 2026 - 15:58 vuln.today
CVSS changed
Jul 08, 2026 - 15:22 NVD
5.5 (MEDIUM)
Patch available
Jun 08, 2026 - 18:01 EUVD
CVE Published
Jun 08, 2026 - 15:41 nvd
MEDIUM 5.5
CVE Published
Jun 08, 2026 - 15:41 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

tpm: Use kfree_sensitive() to free auth session in tpm_dev_release()

tpm_dev_release() uses plain kfree() to free chip->auth, which contains sensitive cryptographic material including HMAC session keys, nonces, and passphrase data (struct tpm2_auth).

Every other code path that frees this structure uses kfree_sensitive() to zero the memory before releasing it: both tpm2_end_auth_session() and tpm_buf_check_hmac_response() do so. The tpm_dev_release() path is the only one that does not, leaving key material in freed slab memory until it is eventually overwritten.

Use kfree_sensitive() for consistency with the rest of the driver and to ensure session keys are scrubbed during device teardown.

AnalysisAI

Sensitive cryptographic material-HMAC session keys, nonces, and passphrase data held in struct tpm2_auth-is left in freed slab memory when a TPM device is released via tpm_dev_release() in Linux kernels from 6.10 onward, because that code path uses kfree() rather than kfree_sensitive(). Every other tear-down path in the same TPM driver (tpm2_end_auth_session() and tpm_buf_check_hmac_response()) already calls kfree_sensitive(), making this an isolated inconsistency. No public exploit exists and EPSS is 0.02% (5th percentile), but in high-assurance environments where TPM-backed key confidentiality is mandatory the residual key material is a meaningful exposure until overwritten by subsequent allocations.

Technical ContextAI

The vulnerability resides in the Linux kernel TPM subsystem (drivers/char/tpm), specifically the tpm_dev_release() callback invoked when a TPM character device is closed. chip->auth is a struct tpm2_auth object that holds live TPM2 HMAC session state: session keys, caller and TPM-generated nonces, and passphrase material used to authenticate commands to the TPM. The kernel provides kfree_sensitive() (memzero_explicit() followed by kfree()) for exactly this scenario-ensuring key material is scrubbed from DRAM before the slab page is returned to the allocator and potentially reallocated to another task. The omission means that freed pages containing key material can persist in the slab until overwritten by a later allocation. Although no formal CWE is assigned in the input, this maps to CWE-226 (Sensitive Information in Resource Not Removed Before Reuse). Affected CPE: cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*, starting at the commit that introduced chip->auth teardown in the 6.10 series.

RemediationAI

Upgrade to a patched kernel version: 6.12.86 or later on the 6.12 stable branch, 6.18.27 or later on the 6.18 stable branch, 7.0.4 or later on the 7.0 stable branch, or pull from 7.1-rc1 or later upstream. Ubuntu users should apply the kernel packages provided in USN-8488-1 or USN-8489-1. Where immediate kernel replacement is not feasible, restrict access to TPM device nodes (/dev/tpm0 and /dev/tpmrm0) to the minimum required set of users and service accounts - this narrows the window for any secondary process to observe freed slab contents, though it does not eliminate the root cause. Additionally, configuring kernel lockdown mode (where supported) limits unprivileged access to /proc/kcore and other memory-exposure interfaces, reducing the likelihood that a second-stage read primitive can be chained. Neither workaround substitutes for patching.

Share

CVE-2026-46283 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy