Description
In the Linux kernel, the following vulnerability has been resolved:

tpm: Use kfree_sensitive() to free auth session in tpm_dev_release()

tpm_dev_release() uses plain kfree() to free chip->auth, which contains
sensitive cryptographic material including HMAC session keys, nonces,
and passphrase data (struct tpm2_auth).

Every other code path that frees this structure uses kfree_sensitive()
to zero the memory before releasing it: both tpm2_end_auth_session()
and tpm_buf_check_hmac_response() do so. The tpm_dev_release() path
is the only one that does not, leaving key material in freed slab
memory until it is eventually overwritten.

Use kfree_sensitive() for consistency with the rest of the driver and
to ensure session keys are scrubbed during device teardown.
Published: 2026-06-08
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from the TPM driver using plain memory deallocation for the authentication session structure, leaving cryptographic material such as HMAC keys, nonces and passphrase data in memory that has only been freed, not zeroed. This exposure allows other processes or code that gains read‑only access to kernel memory to read the residual data, potentially compromising the secrecy and integrity of the authentication session.

Affected Systems

All Linux kernel releases that include the TPM driver and have not yet applied the patch. The affected product is the Linux kernel, with changes introduced in the kernel source commit referenced in the advisory. No specific version numbers are provided, so any kernel version running the unpatched TPM driver is potentially vulnerable.

Risk and Exploitability

The CVSS score is 5.5, and EPSS data is unavailable, but the vulnerability is listed as not in the CISA KEV catalog. The risk is primarily data exfiltration of session keys which could be leveraged by a local attacker with kernel or privileged access to read the residual data before it is overwritten. The attack vector is therefore likely local, requiring the attacker to already have the capability to access kernel memory. Since the condition involves memory that is ultimately freed, successful exploitation would depend on timing and optimal memory layout. The overall risk is moderate to high for systems in which the TPM driver is used and the attacker can obtain kernel exploitation, but remote exploitation is unlikely without additional kernel vulnerabilities.

Generated by OpenCVE AI on June 9, 2026 at 01:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to the latest release that includes the kfree_sensitive fix for tpm_dev_release().
  • Reboot the system to ensure all TPM sessions are properly closed and memory scrubbed.
  • If the TPM device is not required, disable or blacklist the TPM kernel module to eliminate the attack surface.

Generated by OpenCVE AI on June 9, 2026 at 01:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-212
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Mon, 08 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-256

Mon, 08 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: tpm: Use kfree_sensitive() to free auth session in tpm_dev_release() tpm_dev_release() uses plain kfree() to free chip->auth, which contains sensitive cryptographic material including HMAC session keys, nonces, and passphrase data (struct tpm2_auth). Every other code path that frees this structure uses kfree_sensitive() to zero the memory before releasing it: both tpm2_end_auth_session() and tpm_buf_check_hmac_response() do so. The tpm_dev_release() path is the only one that does not, leaving key material in freed slab memory until it is eventually overwritten. Use kfree_sensitive() for consistency with the rest of the driver and to ensure session keys are scrubbed during device teardown.
Title tpm: Use kfree_sensitive() to free auth session in tpm_dev_release()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-08T15:41:26.425Z

Reserved: 2026-05-13T15:03:33.110Z

Link: CVE-2026-46283

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-08T17:16:46.063

Modified: 2026-06-08T17:16:46.063

Link: CVE-2026-46283

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-08T00:00:00Z

Links: CVE-2026-46283 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T01:30:26Z

Weaknesses