MEDIUM 5.5

CVE-2026-46283: Linux TPM Driver Leaves Cryptographic Keys in Freed Memory

A vulnerability in the Linux kernel's TPM (Trusted Platform Module) driver leaves sensitive cryptographic session keys in freed memory when a TPM device is closed. The driver should zero out this memory before releasing it—a standard security practice it already uses in other code paths—but this particular cleanup path was missed. An attacker with local access could potentially recover these keys from freed memory before it's overwritten by other processes.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
Affected products
1 configuration(s)
Published / Modified
2026-06-08 / 2026-07-08

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: tpm: Use kfree_sensitive() to free auth session in tpm_dev_release() tpm_dev_release() uses plain kfree() to free chip->auth, which contains sensitive cryptographic material including HMAC session keys, nonces, and passphrase data (struct tpm2_auth). Every other code path that frees this structure uses kfree_sensitive() to zero the memory before releasing it: both tpm2_end_auth_session() and tpm_buf_check_hmac_response() do so. The tpm_dev_release() path is the only one that does not, leaving key material in freed slab memory until it is eventually overwritten. Use kfree_sensitive() for consistency with the rest of the driver and to ensure session keys are scrubbed during device teardown.

4 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The tpm_dev_release() function in the Linux kernel TPM driver frees the chip->auth structure (type struct tpm2_auth) using plain kfree() instead of kfree_sensitive(). This structure contains sensitive cryptographic material: HMAC session keys, nonces, and passphrase data used in TPM2 authentication flows. The vulnerability exists because two other code paths in the same driver (tpm2_end_auth_session() and tpm_buf_check_hmac_response()) correctly use kfree_sensitive() to zero memory before deallocation. The missing use of kfree_sensitive() in the device release path leaves session keys in freed slab memory until the allocator or other kernel code overwrites it, creating a window for memory disclosure attacks.

Business impact

Organizations relying on TPM-based security—particularly those using TPM for key storage, secure boot, or hardware-backed cryptographic operations—face a localized key disclosure risk. While the exposure window is limited and requires local access, compromise of session keys could allow an attacker to forge TPM commands, bypass platform integrity checks, or impersonate legitimate applications. The impact is most acute in multi-tenant or shared-system environments where untrusted local users exist.

Affected systems

The Linux kernel is affected. Verify exact kernel versions from the official Linux kernel security advisory or stable branch commit logs. All systems running affected kernel versions with TPM support enabled are potentially vulnerable, including servers, embedded systems, and devices using TPM for hardware security module (HSM) functionality.

Exploitability

Exploitation requires local system access and privileges to trigger device release events and read freed memory. This is not a network-exploitable vulnerability. The attacker would need to close TPM device handles under conditions where freed slab memory remains accessible—a non-trivial but achievable scenario in certain kernel memory configurations. The CVSS vector reflects local attack surface (AV:L), low attack complexity (AC:L), and low privilege requirement (PR:L).

Remediation

Apply a kernel update that replaces the plain kfree() call with kfree_sensitive() in tpm_dev_release(). This is a minimal, low-risk code change that aligns the device release path with existing best practices in the same driver. Monitor your kernel version against official CVE advisories and security bulletins from your distribution.

Patch guidance

Check your Linux distribution's security advisory for CVE-2026-46283 to identify the specific patched kernel version. Upgrade to the recommended version or later. For distributions on extended support lifecycles, patches may be backported to older stable branches—verify against your vendor's advisory. No workarounds are available; patching the kernel is required.

Detection guidance

Intrusion detection is limited given the local nature of the vulnerability. Focus on kernel security monitoring: detect abnormal attempts to read /dev/tpm0 or /dev/tpmrm* devices by unprivileged users, and monitor for direct slab memory access patterns. Most effectively, scan systems for kernel versions and enable firmware-level TPM attestation logging if available. Proof-of-concept memory dumps would be hard to attribute after the fact.

Why prioritize this

MEDIUM severity (CVSS 5.5) with local attack requirement and low privilege threshold. Prioritize patching in multi-user systems, containers, or cloud instances where local isolation is weaker, and in devices where TPM protects sensitive authentication or encryption keys. Single-user workstations and air-gapped systems face lower practical risk.

Risk score, explained

CVSS 5.5 reflects a local-only attack surface (AV:L), straightforward exploitation technique once access is gained (AC:L), low privilege barrier (PR:L), and high confidentiality impact (C:H in the actual vulnerability—note the CVSS vector provided shows availability impact, but the real risk is confidential key material loss). The score appropriately reflects that while the attack surface is narrow, the consequence of key disclosure is serious.

Frequently asked questions

Can this vulnerability be exploited remotely?

No. The vulnerability requires local system access and the ability to trigger device teardown and read freed memory. It is not network-exploitable.

Does this affect non-TPM systems?

Only if TPM support is compiled into the kernel and in use. Systems without TPM hardware or with TPM support disabled are unaffected, though TPM is increasingly common in enterprise and newer hardware platforms.

What is kfree_sensitive() and why does it matter here?

kfree_sensitive() is a kernel function that zeros memory before freeing it, preventing sensitive data recovery from freed allocations. The TPM driver already uses it elsewhere; this fix applies the same protection to the device release path for consistency and defense-in-depth.

Are there any known public exploits?

Verify via your distribution's security advisory and the CVE databases (NIST, Red Hat, etc.). At the time of publication, no widespread active exploitation was reported, but the local attack surface and key material exposure make this a priority for patching in shared or untrusted multi-user environments.

This analysis is provided for informational purposes and does not constitute professional security advice. Verify all technical details, patch versions, and affected system lists against official vendor advisories before taking action. CVSS scores and CVE details are sourced from official databases; always cross-reference with your distribution's security bulletins. Successful exploitation depends on system configuration, kernel compile options, and local access controls—assess your specific environment's risk accordingly. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).