CVE-2026-46167

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl<br /> <br /> Just like in a previous problem in this driver, usblp_ctrl_msg() will<br /> collapse the usb_control_msg() return value to 0/-errno, discarding the<br /> actual number of bytes transferred.<br /> <br /> Ideally that short command should be detected and error out, but many<br /> printers are known to send "incorrect" responses back so we can&amp;#39;t just<br /> do that.<br /> <br /> statusbuf is kmalloc(8) at probe time and never filled before the first<br /> LPGETSTATUS ioctl.<br /> <br /> usblp_read_status() requests 1 byte. If a malicious printer responds<br /> with zero bytes, *statusbuf is one byte of stale kmalloc heap,<br /> sign-extended into the local int status, which the LPGETSTATUS path then<br /> copy_to_user()s directly to the ioctl caller.<br /> <br /> Fix this all by just zapping out the memory buffer when allocated at<br /> probe time. If a later call does a short read, the data will be<br /> identical to what the device sent it the last time, so there is no<br /> "leak" of information happening.