CVE-2026-46151
Heap Leak in Linux Kernel USB Printer Driver
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a heap leak in the Linux kernel's usblp driver when handling IEEE 1284 device ID responses from USB printers. Detection would involve checking if the system is running a vulnerable version of the Linux kernel with the affected usblp driver.
Since the vulnerability is related to the usblp driver and USB printers, you can check for the presence of the usblp module and inspect the ieee1284_id sysfs attribute for suspicious or unexpected data that might indicate stale heap exposure.
Suggested commands to help detect the vulnerability or its effects include:
- Check if the usblp module is loaded: lsmod | grep usblp
- List USB printers and their device IDs: lsusb -v | grep -A 10 Printer
- Inspect the ieee1284_id sysfs attribute for USB printer devices, for example: cat /sys/class/usblp/usblp0/ieee1284_id
Note that these commands do not directly detect the heap leak but can help identify if the system is using the affected driver and if the device ID data exposed might contain uninitialized or stale data.
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's usblp driver, which handles USB printers. The issue arises because the driver incorrectly processes the response length from a printer's GET_DEVICE_ID control transfer. Specifically, the driver trusts a 2-byte length prefix from the device without proper validation, leading to a situation where if a device sends a short response (only two bytes), the driver ends up exposing stale heap memory.
The stale heap memory is exposed through two interfaces: the ieee1284_id sysfs attribute and the IOCNR_GET_DEVICE_ID ioctl. This happens because the buffer allocated to store the device ID is not properly cleared before use, allowing leftover data from previous allocations to be leaked.
The fix involves zeroing out the buffer before each request to the device, preventing the exposure of uninitialized heap data.
How can this vulnerability impact me? :
This vulnerability can lead to information leakage by exposing uninitialized kernel heap memory through the printer device interface. An attacker controlling or impersonating a USB printer device could cause the driver to leak potentially sensitive kernel memory contents.
Such information leaks could be used to gain insights into kernel memory layout or other sensitive data, which might aid in further attacks or privilege escalation.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed by ensuring the buffer used to store the device ID string is zeroed out before each request sent to the device. Immediate mitigation involves updating the Linux kernel to a version that includes this fix.
- Apply the latest Linux kernel update that addresses the heap leak in the usblp driver.
- Avoid using broken or untrusted USB printers that may trigger this vulnerability until the fix is applied.