CVE-2026-46283
Received Received - Intake
Memory Leak in Linux Kernel TPM Driver

Publication date: 2026-06-08

Last updated on: 2026-06-08

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: tpm: Use kfree_sensitive() to free auth session in tpm_dev_release() tpm_dev_release() uses plain kfree() to free chip->auth, which contains sensitive cryptographic material including HMAC session keys, nonces, and passphrase data (struct tpm2_auth). Every other code path that frees this structure uses kfree_sensitive() to zero the memory before releasing it: both tpm2_end_auth_session() and tpm_buf_check_hmac_response() do so. The tpm_dev_release() path is the only one that does not, leaving key material in freed slab memory until it is eventually overwritten. Use kfree_sensitive() for consistency with the rest of the driver and to ensure session keys are scrubbed during device teardown.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-08
Last Modified
2026-06-08
Generated
2026-06-09
AI Q&A
2026-06-08
EPSS Evaluated
N/A
NVD
CVE-2026-46283
EUVD
EUVD-2026-35148
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability involves the improper freeing of sensitive cryptographic material in the Linux kernel's TPM driver, where sensitive data such as HMAC session keys, nonces, and passphrase data are not securely erased from memory before being freed. This could potentially lead to unauthorized access to sensitive cryptographic information if the memory is later accessed.

While the CVE description does not explicitly mention compliance with standards like GDPR or HIPAA, the exposure of sensitive cryptographic material could impact compliance with these regulations, which require protection of sensitive data and cryptographic keys to ensure confidentiality and data security.

By not securely erasing sensitive keys, the vulnerability could increase the risk of data breaches or unauthorized data access, which are critical concerns under regulations such as GDPR and HIPAA.

Executive Summary

This vulnerability exists in the Linux kernel's TPM (Trusted Platform Module) driver, specifically in the function tpm_dev_release().

The function tpm_dev_release() uses the standard kfree() function to free memory that contains sensitive cryptographic material such as HMAC session keys, nonces, and passphrase data (stored in struct tpm2_auth).

Unlike other parts of the driver that use kfree_sensitive() to zero out this sensitive memory before freeing it, tpm_dev_release() does not clear the memory, leaving sensitive data in freed memory until it is overwritten.

This inconsistency could potentially expose sensitive cryptographic material after the device is released.

Impact Analysis

The vulnerability can lead to sensitive cryptographic material such as HMAC session keys, nonces, and passphrase data remaining in freed memory without being cleared.

This leftover sensitive data could potentially be accessed by unauthorized processes or attackers who can read freed memory, leading to information disclosure.

Such exposure could compromise the security of cryptographic operations relying on these keys and session data.

Mitigation Strategies

To mitigate this vulnerability, update the Linux kernel to a version where the tpm_dev_release() function uses kfree_sensitive() instead of kfree() to free the auth session.

This ensures that sensitive cryptographic material such as HMAC session keys, nonces, and passphrase data are securely zeroed out from memory during device teardown, preventing potential leakage.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46283. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart