CVE-2026-46167 Overview
CVE-2026-46167 is an uninitialized memory disclosure vulnerability in the Linux kernel usblp USB printer driver. The flaw resides in the LPGETSTATUS ioctl path, where the driver can return stale kernel heap data to userspace. The usblp_ctrl_msg() function collapses the usb_control_msg() return value to 0/-errno, discarding the actual number of bytes transferred. When a USB printer responds with zero bytes to a status request, the kernel reads one byte of uninitialized kmalloc heap memory and copies it to the calling process.
Critical Impact
A local user with access to a usblp device or a malicious USB printer can trigger disclosure of uninitialized kernel heap memory through the LPGETSTATUS ioctl, potentially leaking sensitive data useful for further kernel exploitation.
Affected Products
- Linux kernel usblp USB printer class driver (drivers/usb/class/usblp.c)
- Linux kernel stable branches prior to the fix commits referenced in the advisory
- Systems exposing /dev/usb/lpN to local users or accepting untrusted USB printer devices
Discovery Timeline
- 2026-05-28 - CVE CVE-2026-46167 published to NVD
- 2026-05-28 - Last updated in NVD database
Technical Details for CVE-2026-46167
Vulnerability Analysis
The usblp driver allocates an 8-byte statusbuf via kmalloc() at probe time but does not zero it before first use. The usblp_read_status() function issues a USB control request asking for one byte of printer status. The helper usblp_ctrl_msg() discards the actual transfer length from usb_control_msg() and returns only success or an error code.
When a printer replies with zero bytes, statusbuf retains whatever uninitialized heap contents were present at allocation. The driver then sign-extends the first byte of statusbuf into a local int status value. The LPGETSTATUS ioctl handler passes this value through copy_to_user(), exposing one byte of kernel heap memory per call to the user.
Repeated invocations across multiple probe cycles can disclose different heap regions. Although a single byte is small, the leak is deterministic and can be combined with other primitives to defeat kernel address space layout randomization or reveal cryptographic material residing in slab caches [CWE-908: Use of Uninitialized Resource].
Root Cause
The root cause is the absence of buffer initialization combined with the loss of transfer-length information. kmalloc() does not zero memory by default, and the driver assumes every USB control transfer fully populates statusbuf. A short read leaves the buffer in its pre-allocation state, which contains residual data from previously freed kernel objects.
Attack Vector
An attacker with permission to open the usblp character device can issue LPGETSTATUS ioctls immediately after device probe. A malicious or non-compliant USB printer that returns zero-byte status responses guarantees the short-read condition. Physical USB access or attached evil-peripheral scenarios make the vector practical in shared lab, kiosk, and print-server environments.
No synthetic exploit code is reproduced here. Technical details of the fix are available in the upstream commit logs referenced by the Linux Kernel Commit Log and related backports.
Detection Methods for CVE-2026-46167
Indicators of Compromise
- Unexpected loading of the usblp kernel module on servers that do not require USB printer support.
- Userspace processes repeatedly issuing LPGETSTATUS (0x060b) ioctls against /dev/usb/lp* devices.
- USB device connect events for printer-class devices on systems handling sensitive workloads.
Detection Strategies
- Audit auditd for ioctl syscalls targeting /dev/usb/lp* paired with the LPGETSTATUS command number.
- Monitor udev and kernel logs for usblp probe messages on hosts that should not have printers attached.
- Compare running kernel version against fixed stable releases referenced in the upstream commit logs.
Monitoring Recommendations
- Forward kernel module load events and USB device enumeration logs to a central logging platform for correlation.
- Alert on first-time appearance of USB printer-class devices on production servers, build hosts, and identity systems.
- Track patch compliance of Linux distribution kernel packages against vendor security trackers.
How to Mitigate CVE-2026-46167
Immediate Actions Required
- Apply the latest stable kernel update from your Linux distribution that includes the usblp fix.
- On systems that do not require USB printing, blacklist the usblp module to remove the attack surface entirely.
- Restrict permissions on /dev/usb/lp* so only trusted print service accounts can issue ioctls.
Patch Information
The upstream fix zeroes statusbuf at allocation so that any short read returns deterministic, non-sensitive data instead of stale heap contents. The fix is distributed across the stable trees in commits 6b0e7438e31c, 762a6ccf391d, a502b9976684, b38e53cbfb9d, and d06d937b0a4c. Distribution kernels should be updated to the corresponding backported releases.
Workarounds
- Blacklist the usblp module in /etc/modprobe.d/ on systems that do not need USB printing.
- Use udev rules to deny non-root access to USB printer devices until the kernel is patched.
- Disable unattended USB port access on shared or kiosk hosts where untrusted printers could be connected.
# Configuration example
# Prevent the vulnerable driver from loading on systems that do not need USB printing
echo "blacklist usblp" | sudo tee /etc/modprobe.d/blacklist-usblp.conf
sudo rmmod usblp 2>/dev/null || true
# Restrict device node permissions for any usblp devices that still appear
sudo tee /etc/udev/rules.d/99-usblp-restrict.rules <<'EOF'
SUBSYSTEM=="usb", KERNEL=="lp[0-9]*", MODE="0600", OWNER="root", GROUP="root"
EOF
sudo udevadm control --reload-rules
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
