{
  "threat_severity" : "Moderate",
  "public_date" : "2026-05-28T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: usb: usblp: fix heap leak in IEEE 1284 device ID via short response",
    "id" : "2482579",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2482579"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-824",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nusb: usblp: fix heap leak in IEEE 1284 device ID via short response\nusblp_ctrl_msg() collapses the usb_control_msg() return value to\n0/-errno, discarding the actual number of bytes transferred.  A broken\nprinter can complete the GET_DEVICE_ID control transfer short and the\ndriver has no way to know.\nusblp_cache_device_id_string() reads the 2-byte big-endian length prefix\nfrom the response and trusts it (clamped only to the buffer bounds).\nThe buffer is kmalloc(1024) at probe time. A device that sends exactly\ntwo bytes (e.g. 0x03 0xFF, claiming a 1023-byte ID) leaves\ndevice_id_string[2..1022] holding stale kmalloc heap.\nThat stale data is then exposed:\n- via the ieee1284_id sysfs attribute (sprintf(\"%s\", buf+2), truncated\nat the first NUL in the stale heap), and\n- via the IOCNR_GET_DEVICE_ID ioctl, which copy_to_user()s the full\nclaimed length regardless of NULs, up to 1021 bytes of uninitialized\nheap, with the leak size chosen by the device.\nFix this up by just zapping the buffer with zeros before each request\nsent to the device.", "A flaw was found in the Linux kernel's USB printer (usblp) driver. A malicious USB printer can exploit a heap leak vulnerability by sending a truncated device ID response. This can lead to the disclosure of up to 1021 bytes of uninitialized kernel memory, potentially exposing sensitive information to an attacker." ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-46151\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-46151\nhttps://lore.kernel.org/linux-cve-announce/2026052822-CVE-2026-46151-1361@gregkh/T" ],
  "name" : "CVE-2026-46151",
  "csaw" : false
}