CVE-2026-45941 Linux CVE debrief

Who should care

Organizations running Linux systems with Infineon I2C TPMs, particularly those relying on TPM for measured boot, disk encryption (LUKS), or remote attestation. Kernel maintainers and embedded Linux developers using TPM security chips.

Technical summary

The tpm_i2c_infineon driver in the Linux kernel fails to release TPM locality when get_burstcount() returns -EBUSY (timeout condition). In tpm_tis_i2c_send(), locality is acquired at function entry but a direct return on get_burstcount() failure bypasses the cleanup code. The fix replaces the early return with a goto out_err to ensure locality_release() is always invoked. This is a classic resource leak pattern that could lead to TPM locality exhaustion, preventing subsequent TPM operations until system reset.

Defensive priority

medium

Recommended defensive actions

• Apply kernel updates containing the referenced stable commits when available from your Linux distribution
• Monitor NVD for CVSS scoring once analysis is complete
• Review systems using Infineon I2C TPMs for potential resource exhaustion symptoms
• Consider TPM driver error handling patterns in custom kernel modules

Evidence notes

The vulnerability description indicates this is a resource leak bug in kernel TPM driver code. The fix pattern (goto out_err) is a standard Linux kernel error handling idiom. Multiple stable kernel commits are referenced, suggesting backports to multiple kernel versions. No CVSS score or severity is currently assigned by NVD (status: Awaiting Analysis).

Official resources