CVE-2026-46167

Summary

In the Linux kernel, the following vulnerability has been resolved:

usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl

Just like in a previous problem in this driver, usblp_ctrl_msg() will collapse the usb_control_msg() return value to 0/-errno, discarding the actual number of bytes transferred.

Ideally that short command should be detected and error out, but many printers are known to send "incorrect" responses back so we can't just do that.

statusbuf is kmalloc(8) at probe time and never filled before the first LPGETSTATUS ioctl.

usblp_read_status() requests 1 byte. If a malicious printer responds with zero bytes, *statusbuf is one byte of stale kmalloc heap, sign-extended into the local int status, which the LPGETSTATUS path then copy_to_user()s directly to the ioctl caller.

Fix this all by just zapping out the memory buffer when allocated at probe time. If a later call does a short read, the data will be identical to what the device sent it the last time, so there is no "leak" of information happening.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 0f7c41314ebf17049917a452684db371babf711aaffected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < cf24991619be317e2769310b4a367bf4a04b82bcaffected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 087d97342c100138ea7d75a50977c9c2319f957baffected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < d06d937b0a4cdb8867f04275c8100a8b943da31aaffected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < a502b997668401a6821501fc98b7f9220f9b6ff2affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 762a6ccf391db0d629e590a803a3a2231e17dd3faffected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 6b0e7438e31c74b01514d31ff35c1e688c4baabaaffected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < b38e53cbfb9d84732e5984fbd73e128d592415c5affected
LinuxLinux2.6.12affected
LinuxLinux0 < 2.6.12unaffected
LinuxLinux5.10.258 <= 5.10.*unaffected
LinuxLinux5.15.209 <= 5.15.*unaffected
LinuxLinux6.1.175 <= 6.1.*unaffected
LinuxLinux6.6.140 <= 6.6.*unaffected
LinuxLinux6.12.88 <= 6.12.*unaffected
LinuxLinux6.18.30 <= 6.18.*unaffected
LinuxLinux7.0.7 <= 7.0.*unaffected
LinuxLinux7.1 <= *unaffected

Weaknesses

References