CVE-2026-46096 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

tpm2-sessions: Fix missing tpm_buf_destroy() in tpm2_read_public()

tpm2_read_public() calls tpm_buf_init() but fails to call
tpm_buf_destroy() on two exit paths, leaking a page allocation:

1. When name_size() returns an error (unrecognized hash algorithm),
the function returns directly without destroying the buffer.

2. On the success path, the buffer is never destroyed before
returning.

All other error paths in the function correctly call
tpm_buf_destroy() before returning.

Fix both by adding the missing tpm_buf_destroy() calls.

Published: 2026-05-27

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability originates from the TPM 2.0 session code in the Linux kernel, where the function that reads a TPM object’s public area fails to free a buffer allocated on the page stack in two code paths. This omission can cause a kernel memory leak, gradually exhausting available memory and potentially leading to a denial‑of‑service condition when the system runs out of pages. The leak is purely a resource depletion issue with no direct integrity or confidentiality impact, but it can degrade system performance and stability.

Affected Systems

All Linux distributions that bundle the affected Linux kernel versions are susceptible, as the CPE entry "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*" indicates a universal kernel target. The specific vendor names are not provided beyond "Linux:Linux"; however, any system running the affected kernel revision should be considered at risk until the patch is applied.

Risk and Exploitability

The problem is a missing cleanup routine rather than an input validation flaw, so exploitation requires the ability to trigger the tpm2_read_public() function repeatedly. The likely vector is local extraction of TPM resources, meaning that a user with at least local access to the kernel’s TPM subsystem could initiate the leak. No known public exploits exist, and the CVE does not appear in CISA’s KEV catalog. The EPSS score is not available, implying no recent quantitative assessment of exploitation probability. Nevertheless, the high severity of a memory‑leak exploit that can cause the kernel to run out of pages warrants a defensive posture.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`20eda7c74b69fe9e1caf9b930a5c016bf8d755fa`	affected	< f8775d9d9062da662cc861f9ff7722a65896d4cd
`bda1cbf73c6e241267c286427f2ed52b5735d872`	affected	< 2f434be87e256fd58254f60ddf5d7d58e775ca0b
`bda1cbf73c6e241267c286427f2ed52b5735d872`	affected	< f0f75a3d98b7959a8677b6363e23190f3018636b
`a3b7eb67225c486a2da357c5db3e386f4e64bcde`	affected	—
`6.18.3`	affected	< 6.18.27
`6.12.64`	affected	< 6.13

Linux

affected

Version	Status	Constraints
`6.19`	affected	—
`0`	unaffected	< 6.19
`6.18.27`	unaffected	≤ 6.18.*
`7.0.4`	unaffected	≤ 7.0.*
`7.1-rc1`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to the version that contains the tpm_buf_destroy fix for tpm2_read_public().
If an immediate kernel update is not feasible, consider disabling TPM functionality or restricting access to the TPM device using SELinux or similar policy tools to limit the ability to trigger the leaking path.
After applying the kernel update, monitor system memory usage for any anomalous patterns that could indicate residual leaks or other issues.

Generated by OpenCVE AI on May 27, 2026 at 17:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/2f434be87e256fd58254f60ddf5d7d58e775ca0b
https://git.kernel.org/stable/c/f0f75a3d98b7959a8677b6363e23190f3018636b
https://git.kernel.org/stable/c/f8775d9d9062da662cc861f9ff7722a65896d4cd

History

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: tpm2-sessions: Fix missing tpm_buf_destroy() in tpm2_read_public() tpm2_read_public() calls tpm_buf_init() but fails to call tpm_buf_destroy() on two exit paths, leaking a page allocation: 1. When name_size() returns an error (unrecognized hash algorithm), the function returns directly without destroying the buffer. 2. On the success path, the buffer is never destroyed before returning. All other error paths in the function correctly call tpm_buf_destroy() before returning. Fix both by adding the missing tpm_buf_destroy() calls.
Title		tpm2-sessions: Fix missing tpm_buf_destroy() in tpm2_read_public()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/2f434be87e256fd58254f60ddf5d7d58e775ca0b https://git.kernel.org/stable/c/f0f75a3d98b7959a8677b6363e23190f3018636b https://git.kernel.org/stable/c/f8775d9d9062da662cc861f9ff7722a65896d4cd

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:58:56.233Z

Updated: 2026-05-27T12:58:56.233Z

Reserved: 2026-05-13T15:03:33.097Z

Link: CVE-2026-46096

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:31.220

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-46096

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-27T18:00:15Z

Weaknesses

No weakness.

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object