PatchSiren cyber security CVE debrief
CVE-2026-46283 Linux CVE debrief
CVE-2026-46283 is an information disclosure vulnerability in the Linux kernel. The tpm_dev_release() function uses kfree() to free sensitive data, potentially leaving sensitive cryptographic material in freed slab memory. This issue has been resolved by using kfree_sensitive() to ensure session keys are scrubbed during device teardown.
- Vendor
- Linux
- Product
- Unknown
- CVSS
- Unknown
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-08
- Original CVE updated
- 2026-06-08
- Advisory published
- 2026-06-08
- Advisory updated
- 2026-06-08
Who should care
Linux kernel developers and users, especially those using TPM (Trusted Platform Module) functionality.
Technical summary
The tpm_dev_release() function in the Linux kernel was using kfree() to free sensitive data, including HMAC session keys, nonces, and passphrase data. This could leave sensitive information in freed slab memory until it is eventually overwritten. The issue has been fixed by replacing kfree() with kfree_sensitive() to ensure that sensitive data is properly scrubbed during device teardown.
Defensive priority
Medium
Recommended defensive actions
- Apply the patch from the Linux kernel repository to update the tpm_dev_release() function to use kfree_sensitive().
- Use a Linux kernel version that includes the fix for CVE-2026-46283.
Evidence notes
The CVE record and NVD detail for CVE-2026-46283 provide information on the vulnerability and its resolution.
Official resources
-
CVE-2026-46283 CVE record
CVE.org
-
CVE-2026-46283 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67
-
Source reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67
-
Source reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67
-
Source reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67
public