CVE-2026-46096

Summary

In the Linux kernel, the following vulnerability has been resolved:

tpm2-sessions: Fix missing tpm_buf_destroy() in tpm2_read_public()

tpm2_read_public() calls tpm_buf_init() but fails to call tpm_buf_destroy() on two exit paths, leaking a page allocation:

  1. When name_size() returns an error (unrecognized hash algorithm), the function returns directly without destroying the buffer.

  2. On the success path, the buffer is never destroyed before returning.

All other error paths in the function correctly call tpm_buf_destroy() before returning.

Fix both by adding the missing tpm_buf_destroy() calls.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux20eda7c74b69fe9e1caf9b930a5c016bf8d755fa < f8775d9d9062da662cc861f9ff7722a65896d4cdaffected
LinuxLinuxbda1cbf73c6e241267c286427f2ed52b5735d872 < 2f434be87e256fd58254f60ddf5d7d58e775ca0baffected
LinuxLinuxbda1cbf73c6e241267c286427f2ed52b5735d872 < f0f75a3d98b7959a8677b6363e23190f3018636baffected
LinuxLinuxa3b7eb67225c486a2da357c5db3e386f4e64bcdeaffected
LinuxLinux6.18.3 < 6.18.27affected
LinuxLinux6.12.64 < 6.13affected
LinuxLinux6.19affected
LinuxLinux0 < 6.19unaffected
LinuxLinux6.18.27 <= 6.18.*unaffected
LinuxLinux7.0.4 <= 7.0.*unaffected
LinuxLinux7.1 <= *unaffected

Weaknesses

References