CVE-2026-46109
Description
In the Linux kernel, the following vulnerability has been resolved: usb: ulpi: fix memory leak on ulpi_register() error paths Commit 01af542392b5 ("usb: ulpi: fix double free in ulpi_register_interface() error path") removed kfree(ulpi) from ulpi_register_interface() to fix a double-free when device_register() fails. But when ulpi_of_register() or ulpi_read_id() fail before device_register() is called, the ulpi allocation is leaked. Add kfree(ulpi) on both error paths to properly clean up the allocation.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bookworm | affected | |
| debian | bullseye | affected | |
| debian | forky | fixed | 7.0.7-1 |
| debian | sid | fixed | 7.0.7-1 |
| debian | trixie | fixed | 6.12.88-1 |
| sles | affected | |
References
- https://git.kernel.org/stable/c/0b9fcab1b8608d429e5f239afb197de928d4de7d
- https://git.kernel.org/stable/c/2a71e01b2cf9b4329ff67102c1bea7448c2a2d2d
- https://git.kernel.org/stable/c/b0c0d44adb55c66663886cb6e30ee92cbb0f5385
- https://git.kernel.org/stable/c/be2c1d825f54277472c87019e82013ac534ddc4c
- https://git.kernel.org/stable/c/f30ccfc2985590b33a23a3d8bed7ca16c0af551b
- https://security-tracker.debian.org/tracker/CVE-2026-46109
- https://www.suse.com/security/cve/CVE-2026-46109.html
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.