CVE-2026-46096

NONECVSS 0.0

0.0

In the Linux kernel, the following vulnerability has been resolved:

tpm2-sessions: Fix missing tpm_buf_destroy() in tpm2_read_public()

tpm2_read_public() calls tpm_buf_init() but fails to call tpm_buf_destroy() on two exit paths, leaking a page allocation:

When name_size() returns an error (unrecognized hash algorithm),

the function returns directly without destroying the buffer.

On the success path, the buffer is never destroyed before

returning.

All other error paths in the function correctly call tpm_buf_destroy() before returning.

Fix both by adding the missing tpm_buf_destroy() calls.

CVSS v3: —
EG Score: 0.0(none)
EPSS: 4.3%
KEV: Not listed

Published

May 27, 2026

Last Modified

May 27, 2026

References (3)

416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/2f434be87e256fd58254f60ddf5d7d58e775ca0b
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/f0f75a3d98b7959a8677b6363e23190f3018636b
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/f8775d9d9062da662cc861f9ff7722a65896d4cd

Vendor Advisories for CVE-2026-46096(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

GHSA-wq6x-xf86-6rwf
GitHub Security Advisoriesunknown
In the Linux kernel, the following vulnerability has been resolved: tpm2-sessions: Fix missing...

Data Freshness Timeline

(refreshed 9× in last 7d / 9× in last 30d)

Every time one of our enrichment pipelines (NVD, MITRE cvelistV5, EPSS, CISA KEV, GHSA, OSV, vendor advisories) ran against this CVE. Most recent first.

2026-05-31 22:30 UTCepss_batch
2026-05-31 22:30 UTCepss_batch
2026-05-31 00:16 UTCepss_batch
2026-05-31 00:16 UTCepss_batch
2026-05-29 13:44 UTCepss_batch
2026-05-29 13:44 UTCepss_batch
2026-05-28 13:44 UTCepss_batch
2026-05-28 13:44 UTCepss_batch
2026-05-27 14:07 UTCEG score recompute

Frequently asked(4)

What is CVE-2026-46096?

CVE-2026-46096 is a none vulnerability published on May 27, 2026. In the Linux kernel, the following vulnerability has been resolved: tpm2-sessions: Fix missing tpmbufdestroy() in tpm2readpublic() tpm2readpublic() calls tpmbufinit() but fails to call tpmbufdestroy() on two exit paths, leaking a page allocation: 1. When name_size() returns an error (unrecognized…

When was CVE-2026-46096 disclosed?

CVE-2026-46096 was first published in the National Vulnerability Database on May 27, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.

Is CVE-2026-46096 actively exploited?

CVE-2026-46096 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 4.3% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.

How do I remediate CVE-2026-46096?

Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-46096, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-46096

Explore →

Is Your Infrastructure Affected by CVE-2026-46096?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.

Start Free Scan →Browse All CVEs

CVE-2026-46096

📅 Published

🔄 Last Modified

🔗 References (3)

📣 Vendor Advisories for CVE-2026-46096(1)