SB20260529124 - Heap Inspection in Linux kernel usb class driver



SB20260529124 - Heap Inspection in Linux kernel usb class driver

Published: May 29, 2026

Security Bulletin ID SB20260529124
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Physical access
Highest impact Information disclosure

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) Heap Inspection (CVE-ID: CVE-2026-46167)

CWE-ID: CWE-244 - Improper Clearing of Heap Memory Before Release ('Heap Inspection')

CVSSv4: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows an attacker with physical access to disclose sensitive information.

The vulnerability exists due to uninitialized heap memory exposure in the usblp driver LPGETSTATUS ioctl path when processing a status response from a connected USB printer. An attacker with physical access can cause a malicious printer to return zero bytes in response to a status request to disclose sensitive information.

The issue occurs because the status buffer may contain stale heap data before the first LPGETSTATUS ioctl call.


Remediation

Install update from vendor's website.