MEDIUM 5.5

CVE-2026-46109

A memory leak exists in the Linux kernel's USB ULPI (UTMI Low Pin Interface) driver registration code. When certain initialization steps fail early in the device registration process, allocated memory is not properly freed, allowing memory to accumulate over repeated failures. This is a residual issue from a prior fix that addressed a different memory safety problem. The vulnerability requires local access and elevated privileges to trigger.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-401
Affected products
5 configuration(s)
Published / Modified
2026-05-28 / 2026-06-24

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: usb: ulpi: fix memory leak on ulpi_register() error paths Commit 01af542392b5 ("usb: ulpi: fix double free in ulpi_register_interface() error path") removed kfree(ulpi) from ulpi_register_interface() to fix a double-free when device_register() fails. But when ulpi_of_register() or ulpi_read_id() fail before device_register() is called, the ulpi allocation is leaked. Add kfree(ulpi) on both error paths to properly clean up the allocation.

8 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-46109 describes a memory leak in the Linux kernel's USB ULPI subsystem, specifically in the ulpi_register() function. A previous patch (commit 01af542392b5) removed a kfree(ulpi) call to prevent double-free errors when device_register() failed. However, this left two error paths unprotected: when ulpi_of_register() or ulpi_read_id() fail before device_register() is invoked, the allocated ulpi structure is not freed. The fix adds kfree(ulpi) to both early error paths, ensuring proper cleanup regardless of where registration fails. This is classified as CWE-401 (Missing Release of Memory after Effective Lifetime).

Business impact

On affected systems, repeated USB ULPI device registration failures could gradually exhaust kernel memory. In environments with frequent device hotplug events, failed driver initialization, or fuzzing/stress testing, this could degrade system stability or enable denial-of-service conditions. Systems with strict memory constraints (embedded devices, IoT, containerized deployments) face heightened risk. However, practical exploitation requires local system access and the ability to trigger specific USB enumeration failures.

Affected systems

All Linux kernel versions containing the vulnerable ulpi_register() code path are affected. This includes most recent stable releases (6.x series) and long-term support kernels (5.15.x, 5.10.x, etc.) until patched. The impact is broadest on systems with active USB ULPI devices (transceiver interfaces) or development/testing environments performing frequent USB device registration. Older kernels prior to the introduction of ULPI subsystem functionality are unaffected.

Exploitability

Exploitation requires local system access and the ability to trigger USB ULPI device registration failures. This is not a remote vulnerability and does not provide code execution or privilege escalation directly. The leak accumulates gradually rather than enabling immediate system compromise. Denial-of-service potential exists only in scenarios with repeated device initialization attempts or sustained memory pressure. The vulnerability has not been added to CISA's Known Exploited Vulnerabilities catalog.

Remediation

Apply the upstream Linux kernel patch that adds kfree(ulpi) calls to both ulpi_of_register() and ulpi_read_id() error paths in drivers/usb/ulpi/ulpi.c. Verify the fix is present in your kernel version before deploying. Distributions should backport this fix to all supported stable branches. No workaround exists for unpatched systems; patching is the only mitigation.

Patch guidance

Monitor your Linux distribution's security advisories for kernel updates addressing CVE-2026-46109. Verify patch inclusion by checking kernel source against the upstream fix or reviewing vendor release notes. For systems using long-term support kernels (5.10.x, 5.15.x, 6.1.x), prioritize updates from your distribution's LTS channels. Test patched kernels in non-production environments before rolling out widely to ensure compatibility with your USB device ecosystem.

Detection guidance

Kernel memory accounting tools (kmemcheck, kmemleak) can identify cumulative memory leaks if enabled at build time. Monitor syslog for repeated USB ULPI enumeration failures or device_register() errors, which may indicate repeated trigger attempts. Memory pressure events in kernel logs coupled with USB device attachment/detachment patterns warrant investigation. Runtime memory profiling during development or testing may reveal increasing unaccounted kernel memory tied to USB operations.

Why prioritize this

While this is a medium-severity memory leak, prioritization should reflect your environment's USB ULPI usage and memory constraints. Embedded and IoT deployments, Kubernetes clusters with device passthrough, and heavily tested development systems should patch sooner. Production servers without active ULPI devices or specialized USB transceiver hardware can deprioritize relative to critical vulnerabilities, but should still schedule patching within normal maintenance windows.

Risk score, explained

The CVSS 3.1 score of 5.5 (MEDIUM) reflects local-only access requirements (AV:L), low complexity (AC:L), need for user-level or higher privileges (PR:L), and availability impact (A:H) with no confidentiality or integrity compromise. The score appropriately penalizes the memory leak's denial-of-service potential while acknowledging practical barriers to exploitation on typical systems. Actual risk to your organization depends on USB ULPI device prevalence, system memory availability, and exposure to untrusted device attachment.

Frequently asked questions

Does this vulnerability allow remote code execution or privilege escalation?

No. CVE-2026-46109 is strictly a local memory leak. It cannot be exploited remotely and does not provide code execution or privilege escalation capabilities. The primary risk is denial-of-service through memory exhaustion under repeated device registration failures.

Which systems are most at risk?

Systems actively using USB ULPI transceivers, embedded/IoT devices with constrained memory, kernel development/testing environments with frequent USB hotplug events, and containerized deployments performing USB device passthrough face the highest practical risk. Most traditional servers and workstations without specialized USB transceiver hardware are unlikely to trigger this leak in normal operation.

Do I need to patch immediately?

Patch within your normal maintenance window unless you operate one of the high-risk system categories above. This is a medium-severity issue without active exploitation. Prioritize it below critical and high-severity vulnerabilities, but do not defer indefinitely. Verify patch availability in your distribution before scheduling.

Can the leak be mitigated without patching the kernel?

No practical workaround exists. The fix requires kernel-level changes to the ulpi_register() function. System administrators can only mitigate by reducing USB ULPI device enumeration failures (stable hardware, avoiding device resets) and monitoring memory availability until patched.

This analysis is provided for informational purposes based on available public data as of the publication date. SEC.co makes no warranty regarding the accuracy or completeness of this information. Verify all patch versions, affected releases, and compatibility details against official vendor advisories and your system configuration before deploying fixes. This vulnerability requires local system access and is not remotely exploitable; however, security posture should be evaluated holistically against all vulnerabilities affecting your infrastructure. Consult your organization's security team and vendor documentation before making patching decisions. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).

Affected vendors

Weaknesses (CWE)

Related vulnerabilities