Skip to main content

Linux Kernel EUVDEUVD-2026-32794

| CVE-2026-46167 MEDIUM
Use of Uninitialized Resource (CWE-908)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-vq8g-vcx9-rmc5
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
2.5 LOW

Malicious USB device cooperation required (AC:H); low-privileged local access needed (PR:L); only one stale heap byte leaks per ioctl (C:L); no availability or integrity impact.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
SUSE
MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 10, 2026 - 21:37 vuln.today
CVSS changed
Jun 10, 2026 - 21:22 NVD
5.5 (MEDIUM)
Patch available
May 28, 2026 - 12:01 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)
CVE Published
May 28, 2026 - 10:16 nvd
MEDIUM 5.5

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl

Just like in a previous problem in this driver, usblp_ctrl_msg() will collapse the usb_control_msg() return value to 0/-errno, discarding the actual number of bytes transferred.

Ideally that short command should be detected and error out, but many printers are known to send "incorrect" responses back so we can't just do that.

statusbuf is kmalloc(8) at probe time and never filled before the first LPGETSTATUS ioctl.

usblp_read_status() requests 1 byte. If a malicious printer responds with zero bytes, *statusbuf is one byte of stale kmalloc heap, sign-extended into the local int status, which the LPGETSTATUS path then copy_to_user()s directly to the ioctl caller.

Fix this all by just zapping out the memory buffer when allocated at probe time. If a later call does a short read, the data will be identical to what the device sent it the last time, so there is no "leak" of information happening.

AnalysisAI

Uninitialized heap memory in the Linux kernel's usblp USB printer driver leaks a stale kernel byte to userspace through the LPGETSTATUS ioctl when a malicious or non-compliant USB printer returns zero bytes to a one-byte status request. Affected branches span kernel versions from 2.6.12 through 6.18.x, 7.0.x, and 7.1-rc3, with fixes available in stable releases 6.6.140, 6.12.88, 6.18.30, and 7.0.7. No public exploit exists and EPSS stands at 0.02% (5th percentile); exploitation requires local access, a cooperating malicious USB device, and access to the printer device node - substantially narrowing real-world risk despite the breadth of affected kernel versions.

Technical ContextAI

The usblp driver (drivers/usb/class/usblp.c) allocates an 8-byte status buffer via kmalloc() at USB probe time without zeroing the allocation. The usblp_ctrl_msg() wrapper collapses the return value of usb_control_msg() to 0/-errno, discarding the actual byte count transferred. When usblp_read_status() issues a one-byte control request and a malicious (or buggy) printer responds with zero bytes, the buffer remains at its stale kmalloc content. That uninitalized byte is then sign-extended into a local int and passed directly to userspace via copy_to_user() in the LPGETSTATUS ioctl path. This is a textbook CWE-908 (Use of Uninitialized Resource) defect: the fix is simply to zero the buffer at allocation time with kzalloc, ensuring that any short-read falls back to the last known good value rather than raw heap residue. Affected CPE: cpe:2.3:o:linux:linux_kernel across all tracked branches from 2.6.12 onward through the unpatched stable series.

RemediationAI

Upgrade to a patched stable kernel: 6.6.140, 6.12.88, 6.18.30, or 7.0.7 (patch version confirmed from EUVD affected-version data). The upstream fixes are available as stable commits at git.kernel.org - specifically 6b0e7438e31c, 762a6ccf391d, a502b997668, b38e53cbfb9d, d06d937b0a4c, 087d97342c10, 0f7c41314ebf, and cf24991619be. If immediate kernel upgrade is not feasible, blacklisting the usblp module (add 'blacklist usblp' to /etc/modprobe.d/blacklist.conf and run depmod -a) eliminates the attack surface entirely at the cost of disabling USB printing. Alternatively, restrict physical USB port access via port blockers or BIOS/UEFI controls to prevent attachment of malicious devices. Tightening permissions on /dev/usb/lp* device nodes so that only the lp group or trusted users can open them limits the LPGETSTATUS ioctl exposure to already-authorized printer users. Generic 'apply defense in depth' advice is insufficient here - the module blacklist or port restriction are the most effective compensating controls when patching is delayed.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected

Share

EUVD-2026-32794 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy