CVE-2026-46167
Received Received - Intake
Heap Leak in Linux Kernel USBLP Driver via LPGETSTATUS

Publication date: 2026-05-28

Last updated on: 2026-05-28

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl Just like in a previous problem in this driver, usblp_ctrl_msg() will collapse the usb_control_msg() return value to 0/-errno, discarding the actual number of bytes transferred. Ideally that short command should be detected and error out, but many printers are known to send "incorrect" responses back so we can't just do that. statusbuf is kmalloc(8) at probe time and never filled before the first LPGETSTATUS ioctl. usblp_read_status() requests 1 byte. If a malicious printer responds with zero bytes, *statusbuf is one byte of stale kmalloc heap, sign-extended into the local int status, which the LPGETSTATUS path then copy_to_user()s directly to the ioctl caller. Fix this all by just zapping out the memory buffer when allocated at probe time. If a later call does a short read, the data will be identical to what the device sent it the last time, so there is no "leak" of information happening.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-05-28
Generated
2026-05-28
AI Q&A
2026-05-28
EPSS Evaluated
N/A
NVD
CVE-2026-46167
EUVD
EUVD-2026-32794
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?

The vulnerability has been resolved by fixing the usblp driver in the Linux kernel to properly initialize the memory buffer at probe time, preventing uninitialized heap leaks via the LPGETSTATUS ioctl.

To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes this fix.


How can this vulnerability impact me? :

This vulnerability can lead to unintended disclosure of kernel heap memory contents to user space. An attacker controlling a malicious USB printer or able to manipulate printer responses could exploit this flaw to read uninitialized memory, potentially exposing sensitive information residing in kernel memory.


Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's usblp driver, which handles USB printers. The issue arises because a memory buffer (statusbuf) allocated during device probe is not initialized before use. When the LPGETSTATUS ioctl command is called, if a malicious printer responds with zero bytes, the driver may leak uninitialized heap memory to the user by copying stale data from this buffer. This happens because the driver collapses the return value of usb_control_msg() and does not properly detect short or incorrect responses, leading to potential exposure of leftover kernel memory.

The fix involves zeroing out the memory buffer when it is allocated, ensuring that if a short read occurs later, no sensitive or stale data is leaked.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart