Use of uninitialized resource in Linux kernel - CVE-2026-46151
Published: May 29, 2026
Vulnerability identifier: #VU133048
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-46151
CWE-ID: CWE-908
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Linux Foundation
Affected software:
Linux kernel
Linux kernel
Detailed vulnerability description
The vulnerability allows an attacker with physical access to disclose sensitive information.
The vulnerability exists due to uninitialized memory exposure in the usblp driver when processing a short IEEE 1284 GET_DEVICE_ID control response from a connected USB printer. An attacker with physical access can connect a specially crafted device that returns a truncated response with a forged length field to disclose sensitive information.
The leaked data may be exposed through the ieee1284_id sysfs attribute and the IOCNR_GET_DEVICE_ID ioctl.
How to mitigate CVE-2026-46151
Install security update from vendor's repository.
Sources
- https://git.kernel.org/stable/c/522d17e93a85575256894212d10e5a1fa6f36529
- https://git.kernel.org/stable/c/6d8142141c942c0d8e79343cffda9c44bb1f3f4f
- https://git.kernel.org/stable/c/6e29c32a27218f2dcd4a4e9b0b3c5e7728640698
- https://git.kernel.org/stable/c/7a400c6fe3617e31e690e3f7ca37bb335e0498f3
- https://git.kernel.org/stable/c/8247f52d822180e94ccbfdab91613af386a4e34d