CVE-2026-46167 Linux CVE debrief

Who should care

Linux system administrators, kernel maintainers, organizations with physical security concerns regarding USB device attachment, embedded systems using USB printers, security teams tracking kernel information disclosure vulnerabilities

Technical summary

The usblp driver in the Linux kernel contains an information disclosure vulnerability in the LPGETSTATUS ioctl handler. The statusbuf buffer (8 bytes, kmalloc'd at probe) is not initialized before first use. When usblp_read_status() performs a USB control message requesting 1 byte, and the device returns 0 bytes (short read), the driver fails to detect this condition because usblp_ctrl_msg() discards the actual transfer count. The uninitialized first byte of statusbuf is then sign-extended and returned to userspace. The fix zero-initializes statusbuf at allocation, ensuring no heap memory leakage occurs on short reads.

Defensive priority

medium

Recommended defensive actions

• Apply kernel patches from stable branches when available for your distribution
• Verify usblp driver is not loaded if USB printer support is not required
• Monitor for distribution security advisories for kernel updates
• Review systems with physical USB access for potential malicious device attachment

Evidence notes

Vulnerability description confirms kmalloc(8) allocation without initialization at probe time. The LPGETSTATUS ioctl path copies statusbuf content to userspace. Malicious printer with zero-byte response triggers leak of uninitialized heap memory. Fix commit initializes buffer at allocation. Multiple stable kernel branch commits provided indicate backporting to supported releases.

Official resources