{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-46151", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-05-13T15:03:33.101Z", "datePublished": "2026-05-28T09:36:07.397Z", "dateUpdated": "2026-05-28T09:36:07.397Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-28T09:36:07.397Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: usblp: fix heap leak in IEEE 1284 device ID via short response\n\nusblp_ctrl_msg() collapses the usb_control_msg() return value to\n0/-errno, discarding the actual number of bytes transferred. A broken\nprinter can complete the GET_DEVICE_ID control transfer short and the\ndriver has no way to know.\n\nusblp_cache_device_id_string() reads the 2-byte big-endian length prefix\nfrom the response and trusts it (clamped only to the buffer bounds).\nThe buffer is kmalloc(1024) at probe time. A device that sends exactly\ntwo bytes (e.g. 0x03 0xFF, claiming a 1023-byte ID) leaves\ndevice_id_string[2..1022] holding stale kmalloc heap.\n\nThat stale data is then exposed:\n - via the ieee1284_id sysfs attribute (sprintf(\"%s\", buf+2), truncated\n at the first NUL in the stale heap), and\n - via the IOCNR_GET_DEVICE_ID ioctl, which copy_to_user()s the full\n claimed length regardless of NULs, up to 1021 bytes of uninitialized\n heap, with the leak size chosen by the device.\n\nFix this up by just zapping the buffer with zeros before each request\nsent to the device."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/usb/class/usblp.c"], "versions": [{"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "6e29c32a27218f2dcd4a4e9b0b3c5e7728640698", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "6d8142141c942c0d8e79343cffda9c44bb1f3f4f", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "8247f52d822180e94ccbfdab91613af386a4e34d", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "522d17e93a85575256894212d10e5a1fa6f36529", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "7a400c6fe3617e31e690e3f7ca37bb335e0498f3", "status": "affected", "versionType": "git"}, {"version": "0", "lessThan": "6.6.140", "status": "affected", "versionType": "semver"}, {"version": "0", "lessThan": "6.12.88", "status": "affected", "versionType": "semver"}, {"version": "0", "lessThan": "6.18.30", "status": "affected", "versionType": "semver"}, {"version": "0", "lessThan": "7.0.7", "status": "affected", "versionType": "semver"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/usb/class/usblp.c"], "versions": [{"version": "6.6.140", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.88", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.30", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0.7", "lessThanOrEqual": "7.0.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.1-rc3", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.140"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.88"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.18.30"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "7.0.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "7.1-rc3"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/6e29c32a27218f2dcd4a4e9b0b3c5e7728640698"}, {"url": "https://git.kernel.org/stable/c/6d8142141c942c0d8e79343cffda9c44bb1f3f4f"}, {"url": "https://git.kernel.org/stable/c/8247f52d822180e94ccbfdab91613af386a4e34d"}, {"url": "https://git.kernel.org/stable/c/522d17e93a85575256894212d10e5a1fa6f36529"}, {"url": "https://git.kernel.org/stable/c/7a400c6fe3617e31e690e3f7ca37bb335e0498f3"}], "title": "usb: usblp: fix heap leak in IEEE 1284 device ID via short response", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: usblp: fix heap leak in IEEE 1284 device ID via short response\n\nusblp_ctrl_msg() collapses the usb_control_msg() return value to\n0/-errno, discarding the actual number of bytes transferred. A broken\nprinter can complete the GET_DEVICE_ID control transfer short and the\ndriver has no way to know.\n\nusblp_cache_device_id_string() reads the 2-byte big-endian length prefix\nfrom the response and trusts it (clamped only to the buffer bounds).\nThe buffer is kmalloc(1024) at probe time. A device that sends exactly\ntwo bytes (e.g. 0x03 0xFF, claiming a 1023-byte ID) leaves\ndevice_id_string[2..1022] holding stale kmalloc heap.\n\nThat stale data is then exposed:\n - via the ieee1284_id sysfs attribute (sprintf(\"%s\", buf+2), truncated\n at the first NUL in the stale heap), and\n - via the IOCNR_GET_DEVICE_ID ioctl, which copy_to_user()s the full\n claimed length regardless of NULs, up to 1021 bytes of uninitialized\n heap, with the leak size chosen by the device.\n\nFix this up by just zapping the buffer with zeros before each request\nsent to the device."}], "id": "CVE-2026-46151", "lastModified": "2026-05-28T13:44:01.663", "metrics": {}, "published": "2026-05-28T10:16:30.723", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/522d17e93a85575256894212d10e5a1fa6f36529"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6d8142141c942c0d8e79343cffda9c44bb1f3f4f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6e29c32a27218f2dcd4a4e9b0b3c5e7728640698"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/7a400c6fe3617e31e690e3f7ca37bb335e0498f3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/8247f52d822180e94ccbfdab91613af386a4e34d"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{}

{"created": "2026-05-28T11:45:16.111814+00:00", "updated": "2026-05-28T11:45:16.111827+00:00", "vendors": [], "weaknesses": ["CWE-200", "CWE-665"]}