CVE-2026-46283

MEDIUM

tpm: Use kfree_sensitive() to free auth session in tpm_dev_release()

Title source: cna
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: tpm: Use kfree_sensitive() to free auth session in tpm_dev_release() tpm_dev_release() uses plain kfree() to free chip->auth, which contains sensitive cryptographic material including HMAC session keys, nonces, and passphrase data (struct tpm2_auth). Every other code path that frees this structure uses kfree_sensitive() to zero the memory before releasing it: both tpm2_end_auth_session() and tpm_buf_check_hmac_response() do so. The tpm_dev_release() path is the only one that does not, leaving key material in freed slab memory until it is eventually overwritten. Use kfree_sensitive() for consistency with the rest of the driver and to ensure session keys are scrubbed during device teardown.

Scores

CVSS v3 5.5
EPSS 0.0012
EPSS Percentile 2.4%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Details

Status published
Products (15)
linux/Kernel 6.10.0 - 6.12.86linux
linux/Kernel 6.13.0 - 6.18.27linux
linux/Kernel 6.19.0 - 7.0.4linux
Linux/Linux < 6.10
Linux/Linux 6.10
Linux/Linux 6.12.86 - 6.12.*
Linux/Linux 6.18.27 - 6.18.*
Linux/Linux 699e3efd6c645c741ea4d6d58282c56b6d108cf7 - 53e6d2d834df40960b655b353e7a8ff4d927e1c7
Linux/Linux 699e3efd6c645c741ea4d6d58282c56b6d108cf7 - 84ced03172da544c9f8c0862faad48104f519352
Linux/Linux 699e3efd6c645c741ea4d6d58282c56b6d108cf7 - c424d2664f08c77f08b4580b5f0cbaabf7c229b2
... and 5 more
Published Jun 08, 2026
Tracked Since Jun 08, 2026