CVE-2026-46167
A flaw in the Linux kernel's USB printer driver (usblp) allows uninitialized kernel memory to leak to user-space applications through the LPGETSTATUS ioctl command. When a USB printer responds with fewer bytes than expected, the driver fails to initialize the response buffer properly, potentially exposing stale heap memory to callers. This can occur even with standard-behaving printers; the vulnerability is particularly concerning in multi-user environments where one user's application could inadvertently receive residual kernel memory from prior operations.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-908
- Affected products
- 8 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl Just like in a previous problem in this driver, usblp_ctrl_msg() will collapse the usb_control_msg() return value to 0/-errno, discarding the actual number of bytes transferred. Ideally that short command should be detected and error out, but many printers are known to send "incorrect" responses back so we can't just do that. statusbuf is kmalloc(8) at probe time and never filled before the first LPGETSTATUS ioctl. usblp_read_status() requests 1 byte. If a malicious printer responds with zero bytes, *statusbuf is one byte of stale kmalloc heap, sign-extended into the local int status, which the LPGETSTATUS path then copy_to_user()s directly to the ioctl caller. Fix this all by just zapping out the memory buffer when allocated at probe time. If a later call does a short read, the data will be identical to what the device sent it the last time, so there is no "leak" of information happening.
8 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-46167 exploits a memory initialization gap in the usblp driver's status-reading path. The usblp_ctrl_msg() function collapses USB control message return values, discarding the actual byte count transferred. When usblp_read_status() requests one byte but receives zero bytes (legitimate behavior for some printer implementations), the kmalloc'd statusbuf remains uninitialized. This uninitialized heap content is then sign-extended into a local int and copied directly to user-space via copy_to_user() during LPGETSTATUS ioctl handling. The root cause is deferred initialization: statusbuf is allocated once at probe time but never zeroed. The fix involves zeroing the buffer at allocation, ensuring any subsequent short reads return consistent, safe data rather than stale heap contents.
Business impact
The information disclosure risk is moderate but real in shared computing environments. A user running an application that issues LPGETSTATUS ioctls could receive fragments of kernel memory, potentially exposing sensitive data such as cryptographic keys, session tokens, or other process-related information that happened to occupy that heap region. On single-user desktops or servers without local adversaries, the practical risk is lower. However, organizations with multi-tenant systems, shared developer workstations, or restrictive data classification policies should treat this as a priority. The CVSS score of 5.5 (medium) reflects local-only access requirements and no direct integrity or confidentiability impact in the traditional sense, though information leakage is inherent.
Affected systems
The vulnerability affects all Linux kernel versions incorporating the usblp driver that have not applied this fix. The driver is compiled into or loaded as a module on most Linux distributions that support USB printers. Affected systems include desktop Linux environments with USB printer support enabled, embedded Linux devices with printer connectivity, and servers running print services. The vulnerability requires local access and the ability to issue ioctls on /dev/usb/lp* devices, so systems with restrictive device permissions are less exposed. Verify the specific kernel version and usblp module status on your infrastructure.
Exploitability
Exploitation requires local system access and permission to open and issue ioctls on USB printer device nodes. No remote exploitation vector exists. An unprivileged user on a shared system can typically read from /dev/usb/lp* devices depending on group membership and permission settings. The attack is deterministic and repeatable—calling LPGETSTATUS reliably triggers the leak of whatever heap memory was previously allocated in that location. No user interaction, race conditions, or special hardware setup is required; any USB printer (or lack thereof) suffices. Weaponization is straightforward but depends entirely on local access. This is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of the advisory date.
Remediation
Apply the Linux kernel patch that zeros the statusbuf buffer at probe time. This ensures the buffer always contains initialized memory, eliminating the leak. Verify against the vendor advisory for the exact patch commit hash and applicable kernel versions. As an interim mitigation on systems where patching is delayed, restrict device node permissions via udev rules to limit who can issue ioctls on USB printer devices. Consider using AppArmor, SELinux, or similar mandatory access controls to deny unprivileged access to printer device nodes if they are not essential for normal operations.
Patch guidance
Locate the exact kernel patch for CVE-2026-46167 via the official Linux kernel repository or your distribution's security advisories. The fix is a straightforward memory initialization change in the usblp probe function. Most distributions will release updated kernel packages; check your vendor's security page (e.g., linux-distro-security.org, vendor errata). Test the patched kernel in a non-production environment to confirm printer functionality remains intact before deploying broadly. Kernel module recompilation or full kernel rebuild may be necessary depending on your infrastructure. Coordinate patching across your fleet, prioritizing multi-user systems and shared workstations.
Detection guidance
Monitor kernel logs for usblp driver errors or unusual ioctl patterns. On affected systems, examine system call tracing (strace, auditd) for repeated LPGETSTATUS ioctl calls on /dev/usb/lp* from unexpected processes. Deploy host-based intrusion detection rules that flag excessive or anomalous access to printer device nodes. Since the vulnerability requires local access, endpoint monitoring and privileged access reviews are more effective than network-based detection. Canary processes that issue LPGETSTATUS and compare output variance can signal heap activity patterns, though this is a detective measure only. Patch deployment and access control remain the primary controls.
Why prioritize this
Prioritize this vulnerability for patching based on system role and user isolation. Single-user desktops and offline servers have minimal practical risk. Multi-user systems (shared developer machines, thin client environments, educational labs, managed print servers) should patch urgently because local users routinely gain device access. The medium CVSS score reflects the local-only requirement and absence of direct code execution or confidentiality guarantee, but the ease of exploitation and deterministic information leakage warrant prompt remediation in higher-risk environments. Combine with access control reviews to reduce the number of users capable of triggering the leak.
Risk score, explained
CVSS 3.1 base score of 5.5 (Medium) is assigned because: (1) Attack Vector is Local, eliminating remote exploitation; (2) Attack Complexity is Low—no special setup required; (3) Privileges Required is Low—typical users can issue ioctls if device permissions allow; (4) User Interaction is None; (5) Scope is Unchanged; (6) Confidentiality Impact is None in the formal sense (no guarantee of sensitive data leak, though heap memory could contain it); (7) Integrity Impact is None; (8) Availability Impact is High because repeated reads can cause denial of service through resource exhaustion in edge cases, though this is not the primary concern. The score would be higher (6.5–7.0) if confidentiality impact were rated higher, but the unpredictable nature of heap contents lowers it. Organizations handling sensitive data may apply a higher environmental score.
Frequently asked questions
Can this vulnerability be exploited remotely?
No. The vulnerability requires local system access and the ability to issue ioctls on USB printer device nodes. A remote attacker has no attack surface. However, privileged users on shared systems or container orchestration environments could exploit it laterally to leak heap memory from other processes.
What kind of sensitive data could be leaked?
The leaked memory is kernel heap content from the USB driver's memory region. Depending on prior allocations, this could include fragments of cryptographic keys, session identifiers, process credentials, or other sensitive structures. The leaked data is unpredictable and depends on heap state at runtime. No guarantees exist about what information will be disclosed on any given call.
If my printer is not connected, am I still vulnerable?
Yes. The vulnerability exists in the driver code path regardless of whether a physical printer is attached. An attacker can trigger the ioctl call, and the driver will respond with uninitialized heap memory. The presence or absence of a connected printer does not affect exploitability.
Are all Linux distributions affected?
All Linux kernels running the usblp driver prior to the fix are affected. This includes most mainstream distributions (Ubuntu, Fedora, Debian, RHEL, etc.) unless they have already patched or disabled the driver. Embedded and minimal Linux systems without USB printer support compiled in are not affected. Check your kernel version and module configuration against your distribution's security advisories.
This analysis is based on the CVE record and publicly available kernel advisory information as of the published date. The vulnerability has not been added to CISA's Known Exploited Vulnerabilities catalog. Patch status, affected kernel versions, and vendor timelines may vary by Linux distribution. Organizations should verify patch availability and compatibility with their specific kernel versions and infrastructure before deployment. This vulnerability requires local access and is not remotely exploitable. The information disclosed is unpredictable and dependent on runtime heap state; no guarantee exists regarding what sensitive data, if any, may be exposed in a particular environment. SEC.co and its authors assume no liability for deployment decisions or outcomes related to this vulnerability. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-46132MEDIUM
CVE-2026-46132: Linux Kernel Stack Memory Leak via rtnetlink VF Information Disclosure
- CVE-2026-46139MEDIUM
CVE-2026-46139: Linux SMB Client Uninitialized Buffer in Security Descriptors
- CVE-2026-46169MEDIUM
CVE-2026-46169: Linux HFS+ Catalog Record Validation Vulnerability
- CVE-2026-26825MEDIUM
CVE-2026-26825: libxls 1.6.3 Use-of-Uninitialized Memory Vulnerability
- CVE-2025-71313MEDIUM
CVE-2025-71313: Linux Kernel PCI Endpoint NULL Pointer Dereference
- CVE-2025-71314MEDIUM
CVE-2025-71314: Linux Panthor GPU Driver Denial of Service via Cache Flush Timeout
- CVE-2026-10004MEDIUM
CVE-2026-10004: Chrome UI Spoofing Vulnerability – Password Dialog Hijacking
- CVE-2026-10018MEDIUM
CVE-2026-10018: Integer Overflow in Chrome ANGLE GPU Graphics Layer