Description
In the Linux kernel, the following vulnerability has been resolved:

usb: usblp: fix heap leak in IEEE 1284 device ID via short response

usblp_ctrl_msg() collapses the usb_control_msg() return value to
0/-errno, discarding the actual number of bytes transferred. A broken
printer can complete the GET_DEVICE_ID control transfer short and the
driver has no way to know.

usblp_cache_device_id_string() reads the 2-byte big-endian length prefix
from the response and trusts it (clamped only to the buffer bounds).
The buffer is kmalloc(1024) at probe time. A device that sends exactly
two bytes (e.g. 0x03 0xFF, claiming a 1023-byte ID) leaves
device_id_string[2..1022] holding stale kmalloc heap.

That stale data is then exposed:
- via the ieee1284_id sysfs attribute (sprintf("%s", buf+2), truncated
at the first NUL in the stale heap), and
- via the IOCNR_GET_DEVICE_ID ioctl, which copy_to_user()s the full
claimed length regardless of NULs, up to 1021 bytes of uninitialized
heap, with the leak size chosen by the device.

Fix this up by just zapping the buffer with zeros before each request
sent to the device.
Published: 2026-05-28
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the Linux kernel USB printer driver (usblp). During a GET_DEVICE_ID control transfer, the driver trusts an advertised length supplied by the device, reading up to 1021 bytes from a 1024‑byte buffer that is not cleared before each request. When a device replies with a two‑byte length prefix that claims a lengthy ID but actually supplies only the prefix bytes, the remaining buffer remains populated with stale heap contents. This stale data can be accessed through the ieee1284_id sysfs attribute and the IOCNR_GET_DEVICE_ID ioctl, leading to the disclosure of uninitialized memory to the calling context. The weakness is classified as CWE‑824 and CWE‑401 (memory leak).

Affected Systems

The affected product is the Linux kernel on all distributions that include the usblp driver, as indicated by the vendor products list Linux:Linux. No specific kernel version range is cited, so any kernel that contains the pre‑patch code is vulnerable.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity, and the EPSS score of <1% suggests a very low probability of exploitation. The vulnerability requires a malicious USB printer device to send a crafted short GET_DEVICE_ID response, so it is exploitable only on systems that have the usblp driver enabled and accept USB printer connections. Even in those environments, the exposed stale data could reveal application secrets or internal kernel structures to local users with access to the IOCNR_GET_DEVICE_ID ioctl or the ieee1284_id sysfs attribute. The issue is not listed in the CISA KEV catalog, and no product‑level warning is currently available, so immediate patching remains the most prudent course of action. The current CWE mapping lists only CWE‑824 and CWE‑401.

Generated by OpenCVE AI on June 9, 2026 at 22:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a release that includes the usblp heap zeroing fix from commit 522d17e93a85575256894212d10e5a1fa6f36529 and subsequent merges
  • If a kernel upgrade is delayed, disable the usblp driver or block IEEE 1284 printer devices by adding a udev rule that prevents loading the driver for class 07 devices
  • Avoid using untrusted USB printers or devices that may send malformed GET_DEVICE_ID responses; enforce strict device whitelisting on production systems

Generated by OpenCVE AI on June 9, 2026 at 22:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-401
CPEs cpe:2.3:o:linux:linux_kernel:2.6.12:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*

Mon, 01 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
References

Fri, 29 May 2026 03:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
CWE-665

Fri, 29 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-824
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Thu, 28 May 2026 12:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
CWE-665

Thu, 28 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: usb: usblp: fix heap leak in IEEE 1284 device ID via short response usblp_ctrl_msg() collapses the usb_control_msg() return value to 0/-errno, discarding the actual number of bytes transferred. A broken printer can complete the GET_DEVICE_ID control transfer short and the driver has no way to know. usblp_cache_device_id_string() reads the 2-byte big-endian length prefix from the response and trusts it (clamped only to the buffer bounds). The buffer is kmalloc(1024) at probe time. A device that sends exactly two bytes (e.g. 0x03 0xFF, claiming a 1023-byte ID) leaves device_id_string[2..1022] holding stale kmalloc heap. That stale data is then exposed: - via the ieee1284_id sysfs attribute (sprintf("%s", buf+2), truncated at the first NUL in the stale heap), and - via the IOCNR_GET_DEVICE_ID ioctl, which copy_to_user()s the full claimed length regardless of NULs, up to 1021 bytes of uninitialized heap, with the leak size chosen by the device. Fix this up by just zapping the buffer with zeros before each request sent to the device.
Title usb: usblp: fix heap leak in IEEE 1284 device ID via short response
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T17:58:20.398Z

Reserved: 2026-05-13T15:03:33.101Z

Link: CVE-2026-46151

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-28T10:16:30.723

Modified: 2026-06-09T21:06:37.910

Link: CVE-2026-46151

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-28T00:00:00Z

Links: CVE-2026-46151 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T23:00:15Z

Weaknesses
  • CWE-401

    Missing Release of Memory after Effective Lifetime

  • CWE-824

    Access of Uninitialized Pointer