CVE-2026-46096 Linux CVE debrief

Who should care

Linux system administrators running kernels with TPM2 support enabled; security teams managing infrastructure with hardware security modules; kernel maintainers backporting stable patches

Technical summary

The vulnerability is a resource leak in `drivers/char/tpm/tpm2-sessions.c`. The `tpm2_read_public()` function initializes a `tpm_buf` structure using `tpm_buf_init()`, which performs a page allocation. The function correctly calls `tpm_buf_destroy()` on most error paths, but omits this cleanup: (1) when `name_size()` fails with an unrecognized hash algorithm error, returning directly; and (2) on the success return path. The fix adds `tpm_buf_destroy(&buf)` before both return statements. This is a local denial-of-service vector via memory exhaustion, requiring ability to trigger TPM2 operations.

Defensive priority

medium

Recommended defensive actions

• Review kernel version and confirm application of stable kernel patches referencing the fixed commits
• Monitor NVD for CVSS scoring once analysis is complete
• If running systems with TPM2 enabled, prioritize kernel updates to prevent memory exhaustion under sustained TPM operations
• Audit systems for unusual memory consumption patterns in kernel space that may indicate exploitation of this leak

Evidence notes

The vulnerability description is sourced from the official CVE record published by NVD on 2026-05-27. The fix is confirmed through three kernel.org git commits to the stable tree. No CVSS score has been assigned as of the CVE publication date; NVD status is 'Awaiting Analysis'. Vendor identification is marked low confidence ('Unknown Vendor') in source data, though the affected component is clearly the Linux kernel TPM subsystem.

Official resources