Description
In the Linux kernel, the following vulnerability has been resolved:

usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl

Just like in a previous problem in this driver, usblp_ctrl_msg() will
collapse the usb_control_msg() return value to 0/-errno, discarding the
actual number of bytes transferred.

Ideally that short command should be detected and error out, but many
printers are known to send "incorrect" responses back so we can't just
do that.

statusbuf is kmalloc(8) at probe time and never filled before the first
LPGETSTATUS ioctl.

usblp_read_status() requests 1 byte. If a malicious printer responds
with zero bytes, *statusbuf is one byte of stale kmalloc heap,
sign-extended into the local int status, which the LPGETSTATUS path then
copy_to_user()s directly to the ioctl caller.

Fix this all by just zapping out the memory buffer when allocated at
probe time. If a later call does a short read, the data will be
identical to what the device sent it the last time, so there is no
"leak" of information happening.
Published: 2026-05-28
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The usblp USB printer driver contains a heap‑based information disclosure. When a device is first probed, its status buffer is allocated but never initialized. A malicious USB printer that sends an empty or too‑short response to the LPGETSTATUS ioctl causes the kernel to copy this uninitialized buffer to user space. The caller can therefore read arbitrary kernel‑heap contents, leaking sensitive data but not granting code execution or privilege escalation.

Affected Systems

All Linux kernel installations that ship the usblp driver are susceptible. The flaw exists in every kernel version prior to the commit that zeros the status buffer at probe time. The issue spans major kernel series, including historic versions such as 2.6.12 and recent releases such as 7.1; any distribution compiling the standard kernel will be affected unless the usblp module is omitted.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity. The EPSS score of less than 1% means exploitation is currently considered unlikely. An attacker would need to present a USB printer device that can issue the LPGETSTATUS ioctl; thus the attack requires either physical access or remote access to the USB bus. No evidence of code execution or privilege escalation exists, and the vulnerability is not listed in CISA’s KEV catalog.

Generated by OpenCVE AI on June 11, 2026 at 02:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install a Linux kernel version that includes the usblp status buffer zeroing patch
  • If USB printer support is not required, blacklist or unload the usblp kernel module
  • Limit physical access to USB ports or enforce device filtering to prevent malicious printers from connecting

Generated by OpenCVE AI on June 11, 2026 at 02:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 00:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-788

Wed, 10 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-908
CPEs cpe:2.3:o:linux:linux_kernel:2.6.12:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*

Mon, 01 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
References

Fri, 29 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-824
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low

Thu, 28 May 2026 13:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-788

Thu, 28 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl Just like in a previous problem in this driver, usblp_ctrl_msg() will collapse the usb_control_msg() return value to 0/-errno, discarding the actual number of bytes transferred. Ideally that short command should be detected and error out, but many printers are known to send "incorrect" responses back so we can't just do that. statusbuf is kmalloc(8) at probe time and never filled before the first LPGETSTATUS ioctl. usblp_read_status() requests 1 byte. If a malicious printer responds with zero bytes, *statusbuf is one byte of stale kmalloc heap, sign-extended into the local int status, which the LPGETSTATUS path then copy_to_user()s directly to the ioctl caller. Fix this all by just zapping out the memory buffer when allocated at probe time. If a later call does a short read, the data will be identical to what the device sent it the last time, so there is no "leak" of information happening.
Title usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T17:59:37.617Z

Reserved: 2026-05-13T15:03:33.102Z

Link: CVE-2026-46167

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-28T10:16:32.340

Modified: 2026-06-10T21:14:35.820

Link: CVE-2026-46167

cve-icon Redhat

Severity : Low

Publid Date: 2026-05-28T00:00:00Z

Links: CVE-2026-46167 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T02:15:27Z

Weaknesses
  • CWE-824

    Access of Uninitialized Pointer

  • CWE-908

    Use of Uninitialized Resource