CVE-2026-46151 Linux CVE debrief

Who should care

Linux system administrators, kernel maintainers, organizations with physical security requirements, embedded device manufacturers using USB printer support

Technical summary

The usblp driver in the Linux kernel contains an information disclosure vulnerability in its IEEE 1284 device ID handling. The device_id_string buffer (1024 bytes, kmalloc'd at probe) is not zeroed before usblp_cache_device_id_string() issues a GET_DEVICE_ID control request. The usblp_ctrl_msg() helper collapses usb_control_msg() return values to 0/-errno, discarding the actual transfer length. A device responding with only 2 bytes (a forged big-endian length prefix, e.g., 0x03 0xFF claiming 1023 bytes) causes the driver to trust this length. The stale heap contents beyond the 2 received bytes are then exposed: via sysfs ieee1284_id (sprintf output truncated at first NUL) and via IOCNR_GET_DEVICE_ID ioctl (copy_to_user of full claimed length, up to 1021 bytes). The fix zero-fills the buffer before each request, ensuring no uninitialized data exposure.

Defensive priority

medium

Recommended defensive actions

• Apply kernel updates containing the referenced stable branch commits when available from your Linux distribution
• Restrict physical access to USB ports to prevent attachment of malicious USB devices
• Consider disabling USB printer support (CONFIG_USB_PRINTER) if not required
• Monitor for unexpected ieee1284_id sysfs attribute reads or IOCNR_GET_DEVICE_ID ioctl calls
• Review system logs for anomalous USB device attachment events

Evidence notes

The vulnerability description is sourced from the official CVE record published 2026-05-28. The fix involves zeroing the device_id_string buffer before each GET_DEVICE_ID request. Multiple stable kernel branch commits are referenced in the source data.

Official resources