Description
In the Linux kernel, the following vulnerability has been resolved:

usb: usblp: fix heap leak in IEEE 1284 device ID via short response

usblp_ctrl_msg() collapses the usb_control_msg() return value to
0/-errno, discarding the actual number of bytes transferred. A broken
printer can complete the GET_DEVICE_ID control transfer short and the
driver has no way to know.

usblp_cache_device_id_string() reads the 2-byte big-endian length prefix
from the response and trusts it (clamped only to the buffer bounds).
The buffer is kmalloc(1024) at probe time. A device that sends exactly
two bytes (e.g. 0x03 0xFF, claiming a 1023-byte ID) leaves
device_id_string[2..1022] holding stale kmalloc heap.

That stale data is then exposed:
- via the ieee1284_id sysfs attribute (sprintf("%s", buf+2), truncated
at the first NUL in the stale heap), and
- via the IOCNR_GET_DEVICE_ID ioctl, which copy_to_user()s the full
claimed length regardless of NULs, up to 1021 bytes of uninitialized
heap, with the leak size chosen by the device.

Fix this up by just zapping the buffer with zeros before each request
sent to the device.
Published: 2026-05-28
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the Linux kernel USB printer driver (usblp). During a GET_DEVICE_ID control transfer, the driver trusts an advertised length supplied by the device, reading up to 1021 bytes from a 1024‑byte buffer that is not cleared before each request. When a device replies with a two‑byte length prefix that claims a lengthy ID but actually supplies only the prefix bytes, the remaining buffer remains populated with stale heap contents. This stale data can be accessed through the ieee1284_id sysfs attribute and the IOCNR_GET_DEVICE_ID ioctl, leading to the disclosure of uninitialized memory to the calling context.

Affected Systems

The affected product is the Linux kernel on all distributions that include the usblp driver, as indicated by the vendor products list Linux:Linux and the CPE string cpe:2.3:o:linuxlinux_kernel:*:*:*:*:*:*:*.*. No specific kernel version range is cited, so any kernel that contains the pre‑patch code is vulnerable.

Risk and Exploitability

The CVSS score is not disclosed, and the EPSS score is unavailable, indicating no publicly known exploitation probability. The vulnerability requires active need for a malicious USB printer device to supply a crafted short response, so it is exploitable only on systems that accept USB printer connections or have the usblp driver enabled. Although the risk is limited to those environments, the exposed stale data could expose application secrets or internal kernel structures to local users with access to the ioctl or sysfs interface. The vulnerability is not listed in CISA KEV and no product‐level warning is currently available, making immediate patching the most prudent approach.

Generated by OpenCVE AI on May 28, 2026 at 11:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a release that includes the usblp heap zeroing fix from commit 522d17e93a85575256894212d10e5a1fa6f36529 and subsequent merges
  • If a kernel upgrade is delayed, disable the usblp driver or block IEEE 1284 printer devices by adding a udev rule that prevents loading the driver for class 07 devices
  • Avoid using untrusted USB printers or devices that may send malformed GET_DEVICE_ID responses; enforce strict device whitelisting on production systems

Generated by OpenCVE AI on May 28, 2026 at 11:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 12:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
CWE-665

Thu, 28 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: usb: usblp: fix heap leak in IEEE 1284 device ID via short response usblp_ctrl_msg() collapses the usb_control_msg() return value to 0/-errno, discarding the actual number of bytes transferred. A broken printer can complete the GET_DEVICE_ID control transfer short and the driver has no way to know. usblp_cache_device_id_string() reads the 2-byte big-endian length prefix from the response and trusts it (clamped only to the buffer bounds). The buffer is kmalloc(1024) at probe time. A device that sends exactly two bytes (e.g. 0x03 0xFF, claiming a 1023-byte ID) leaves device_id_string[2..1022] holding stale kmalloc heap. That stale data is then exposed: - via the ieee1284_id sysfs attribute (sprintf("%s", buf+2), truncated at the first NUL in the stale heap), and - via the IOCNR_GET_DEVICE_ID ioctl, which copy_to_user()s the full claimed length regardless of NULs, up to 1021 bytes of uninitialized heap, with the leak size chosen by the device. Fix this up by just zapping the buffer with zeros before each request sent to the device.
Title usb: usblp: fix heap leak in IEEE 1284 device ID via short response
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-28T09:36:07.397Z

Reserved: 2026-05-13T15:03:33.101Z

Link: CVE-2026-46151

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-28T10:16:30.723

Modified: 2026-05-28T10:16:30.723

Link: CVE-2026-46151

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T11:45:16Z

Weaknesses