CVE-2026-46109 Linux CVE debrief

Who should care

System administrators running Linux kernels with USB ULPI support; embedded systems developers utilizing USB ULPI interfaces; kernel maintainers and distributors packaging stable kernel updates

Technical summary

The vulnerability is a memory leak in the Linux kernel's USB ULPI (UTMI+ Low Pin Interface) registration code. When `ulpi_register()` is called, it allocates a `ulpi` structure. If `ulpi_of_register()` or `ulpi_read_id()` fail before `device_register()` is invoked, the function returns an error without freeing the allocated memory. This leaves the `ulpi` structure allocated but unreachable, causing a memory leak. The root cause traces to commit 01af542392b5, which fixed a double-free vulnerability by removing `kfree(ulpi)` from `ulpi_register_interface()` but inadvertently removed cleanup for early error paths as well. The resolution adds explicit `kfree(ulpi)` calls on both the `ulpi_of_register()` and `ulpi_read_id()` error paths before returning.

Defensive priority

medium

Recommended defensive actions

• Apply the relevant kernel patch from the Linux stable tree to affected systems
• Monitor kernel memory usage on systems utilizing USB ULPI interfaces
• Review systems with custom USB ULPI drivers for similar memory management patterns
• Verify kernel version includes the fix commits: 0b9fcab1b860, 2a71e01b2cf9, b0c0d44adb55, be2c1d825f54, or f30ccfc29855

Evidence notes

The vulnerability description is sourced from the official CVE record and NVD entry, both published on 2026-05-28. The technical details reference specific kernel commits in the stable tree that implement the fix. The vendor identification is marked as low confidence and requires review, as the source only indicates 'Kernel' as a reference domain candidate.

Official resources