CVE-2026-46091 Overview
CVE-2026-46091 affects the Linux kernel's igorplugusb infrared remote control USB driver located under drivers/media/rc/. The driver issued USB control requests using a request structure that did not follow Direct Memory Access (DMA) coherency rules. On host controllers (HCs) that perform DMA on the USB request structure, this can produce undefined behavior, memory corruption, or unreliable device operation. Maintainers resolved the issue by allocating the USB control request structure separately so it satisfies DMA coherency requirements. The fix was applied across multiple stable kernel branches.
Critical Impact
Improper DMA buffer handling in the igorplugusb driver may cause memory corruption or unstable kernel behavior on USB host controllers that DMA the control request structure.
Affected Products
- Linux kernel drivers/media/rc/igorplugusb.c infrared receiver driver
- Systems using Igor Plug USB IR receivers on host controllers that perform DMA on control transfer structures
- Multiple stable Linux kernel branches prior to the referenced fix commits
Discovery Timeline
- 2026-05-27 - CVE-2026-46091 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-46091
Vulnerability Analysis
The igorplugusb driver sends USB control requests to communicate with the IR receiver hardware. A USB control request is described by a struct usb_ctrlrequest (the 8-byte setup packet) that the host controller transmits during the SETUP stage of a control transfer. On host controllers that move this structure via DMA, the memory backing the structure must follow kernel DMA coherency rules, meaning it must not share a cache line with unrelated data and must be allocated from a DMA-capable region.
In the vulnerable code, the request structure was not allocated separately and did not honor these rules. When the USB core or HCD layer mapped the structure for DMA, cache line sharing with surrounding data could trigger cache coherency problems. The result is potential corruption of adjacent memory, stale data being transmitted on the bus, or driver malfunction. While this is primarily a stability and correctness issue, kernel memory corruption flaws can have security implications in multi-tenant or attacker-controlled-device scenarios.
Root Cause
The root cause is improper allocation of a DMA-accessible buffer. The struct usb_ctrlrequest was embedded in a structure that did not meet DMA coherency requirements (kernel driver vulnerability class). The remediation allocates the control request as a standalone, DMA-safe buffer.
Attack Vector
No public exploitation technique is documented and no proof-of-concept is available. The flaw requires presence of the igorplugusb IR USB device or an attacker-controlled USB device that binds to this driver. Triggering corruption depends on the behavior of the underlying USB host controller. See the upstream commits for technical details: Kernel Git Commit 0adac0e and Kernel Git Commit eac6947.
Detection Methods for CVE-2026-46091
Indicators of Compromise
- No specific runtime indicators of compromise are published for this vulnerability.
- Unexpected kernel log entries referencing igorplugusb, USB control transfer failures, or DMA-related warnings on systems with IR receivers may indicate the buggy code path is in use.
Detection Strategies
- Inventory Linux hosts to identify kernels predating the fix commits referenced in the kernel.org stable tree.
- Check whether the igorplugusb module is loaded using lsmod | grep igorplugusb and verify the running kernel version with uname -r.
- Compare installed kernel package versions against distribution security advisories that incorporate the upstream patches.
Monitoring Recommendations
- Monitor dmesg for USB control transfer errors, IR driver probe failures, or memory corruption warnings (KASAN, slab errors) on systems with IR USB hardware.
- Track USB device enumeration events in audit logs to detect connection of unexpected USB devices that may bind to the igorplugusb driver.
How to Mitigate CVE-2026-46091
Immediate Actions Required
- Apply the latest stable Linux kernel update from your distribution that incorporates the upstream fix commits.
- If patching is not immediately possible, blacklist the igorplugusb module on hosts that do not require IR remote functionality.
- Restrict physical and virtual USB device access on servers and workstations where untrusted USB hardware could be attached.
Patch Information
The vulnerability is resolved upstream by allocating the USB control request structure separately so it conforms to DMA coherency rules. Fix commits are available in the kernel stable tree: Kernel Git Commit 0adac0e, Kernel Git Commit 0be8fcd, Kernel Git Commit 18d6a7c, Kernel Git Commit a62ca67, and Kernel Git Commit eac6947. Install the corresponding distribution-provided kernel package and reboot.
Workarounds
- Prevent the vulnerable driver from loading by adding blacklist igorplugusb to a file under /etc/modprobe.d/ on systems that do not need IR receiver support.
- Enforce USB device control policies (for example USBGuard) to prevent unauthorized USB devices from binding to kernel drivers.
# Configuration example: blacklist the igorplugusb module
echo "blacklist igorplugusb" | sudo tee /etc/modprobe.d/blacklist-igorplugusb.conf
sudo rmmod igorplugusb 2>/dev/null || true
sudo update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
