Skip to main content

Linux Kernel EUVDEUVD-2026-32337

| CVE-2026-45871 MEDIUM
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-x542-jg8f-r599
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local access with a low-privilege account required to trigger TPM send; only TPM locality exhaustion results - no confidentiality or integrity impact applies.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
4.7 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 25, 2026 - 21:14 vuln.today
CVSS changed
Jun 25, 2026 - 21:07 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

tpm: st33zp24: Fix missing cleanup on get_burstcount() error

get_burstcount() can return -EBUSY on timeout. When this happens, st33zp24_send() returns directly without releasing the locality acquired earlier.

Use goto out_err to ensure proper cleanup when get_burstcount() fails.

AnalysisAI

Resource leak in the Linux kernel's st33zp24 TPM driver allows a low-privileged local user to exhaust TPM localities and deny TPM service on systems equipped with STMicroelectronics ST33ZP24 hardware. When get_burstcount() returns -EBUSY on timeout, st33zp24_send() exits without releasing the previously acquired TPM locality, creating a cumulative leak that can render all subsequent TPM operations unavailable. No public exploit code exists and EPSS probability is 0.02% (7th percentile), but systems relying on the ST33ZP24 for measured boot or disk-encryption attestation face meaningful operational risk if exploited.

Technical ContextAI

The ST33ZP24 is an STMicroelectronics Trusted Platform Module supported by the tpm_st33zp24 Linux kernel driver. TPM access is mediated through 'localities' - numbered access-control regions that a driver must acquire before submitting commands and release afterward. In st33zp24_send(), the locality is acquired early in the send path; however, the error branch reached when get_burstcount() returns -EBUSY (a timeout condition) performed a direct return, bypassing the cleanup code responsible for releasing that locality. The root cause is a missing goto to an error-handling label - a classic CWE-459 (Incomplete Cleanup) pattern. Each timed-out send operation permanently leaks one locality allocation until the TPM subsystem becomes unresponsive. No CWE is formally assigned in NVD, but the mechanism is unambiguously an incomplete error-path cleanup affecting a finite kernel resource.

RemediationAI

Upgrade to a patched stable kernel release: 5.10.252+ (5.10.x), 5.15.202+ (5.15.x), 6.1.165+ (6.1.x), 6.6.128+ (6.6.x), 6.12.75+ (6.12.x), 6.18.14+ (6.18.x), 6.19.4+ (6.19.x), or 7.0+ (mainline). Individual stable fix commits are published at https://git.kernel.org/stable/c/1256c6dc96d1e687e6e9b63088156ed07411b00c, https://git.kernel.org/stable/c/3e91b44c93ad2871f89fc2a98c5e4fe6ca5db3d9, and related hashes listed in the NVD references. Where immediate patching is not possible, blacklisting the tpm_st33zp24 kernel module (add 'blacklist tpm_st33zp24' to /etc/modprobe.d/blacklist.conf and reboot) prevents the vulnerable code path from executing; the trade-off is complete loss of ST33ZP24 TPM functionality, which may break disk-encryption unlock, measured-boot attestation, or any application consuming the TPM via /dev/tpm0.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected

Share

EUVD-2026-32337 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy