Unrated severityNVD Advisory· Published Jun 8, 2026

CVE-2026-46283

Description

Linux kernel TPM driver improperly frees sensitive session keys, potentially exposing them in memory.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Linux kernel TPM driver improperly frees sensitive session keys, potentially exposing them in memory.

Vulnerability

The Linux kernel's TPM driver has a vulnerability in the tpm_dev_release() function. This function uses kfree() to free the chip->auth structure, which holds sensitive cryptographic material like HMAC session keys and nonces. Unlike other code paths that use kfree_sensitive() to zero memory before freeing, tpm_dev_release() does not, leaving sensitive data in freed memory until it's overwritten [1].

Exploitation

An attacker with the ability to trigger the release of a TPM device, such as through device teardown or driver unloading, could potentially exploit this vulnerability. By carefully timing memory allocation and inspection after the tpm_dev_release() call, an attacker might be able to read sensitive cryptographic material from freed slab memory before it is reused [1].

Impact

Successful exploitation could lead to the disclosure of sensitive cryptographic material, including HMAC session keys, nonces, and passphrase data. This information could be used to compromise the security of TPM-protected operations, potentially leading to unauthorized access or further system compromise.

Mitigation

This vulnerability has been resolved by using kfree_sensitive() in the tpm_dev_release() function to ensure sensitive session keys are scrubbed from memory during device teardown. The fix is available in newer versions of the Linux kernel. No specific fixed version or release date is provided in the available references [1].

References

Making sure you're not a bot!

AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Linux/Kernelllm-fuzzy

Patches

dd3ac52ea7a0

tpm: Use kfree_sensitive() to free auth session in tpm_dev_release()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitGunnar KudrjavetsFixed in 6.12.86via kernel-cna

commit

1 file changed · +1 −2

drivers/char/tpm/tpm-chip.c+1 −2 modified

diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c
index dfeb28866a327..192063a200430 100644
--- a/drivers/char/tpm/tpm-chip.c
+++ b/drivers/char/tpm/tpm-chip.c
@@ -283,7 +283,7 @@ static void tpm_dev_release(struct device *dev)
 	kfree(chip->work_space.context_buf);
 	kfree(chip->work_space.session_buf);
 #ifdef CONFIG_TCG_TPM2_HMAC
-	kfree(chip->auth);
+	kfree_sensitive(chip->auth);
 #endif
 	kfree(chip);
 }
-- 
cgit 1.3-korg

53e6d2d834df

tpm: Use kfree_sensitive() to free auth session in tpm_dev_release()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitGunnar KudrjavetsFixed in 6.18.27via kernel-cna

commit

1 file changed · +1 −2

drivers/char/tpm/tpm-chip.c+1 −2 modified

diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c
index dfeb28866a327..192063a200430 100644
--- a/drivers/char/tpm/tpm-chip.c
+++ b/drivers/char/tpm/tpm-chip.c
@@ -283,7 +283,7 @@ static void tpm_dev_release(struct device *dev)
 	kfree(chip->work_space.context_buf);
 	kfree(chip->work_space.session_buf);
 #ifdef CONFIG_TCG_TPM2_HMAC
-	kfree(chip->auth);
+	kfree_sensitive(chip->auth);
 #endif
 	kfree(chip);
 }
-- 
cgit 1.3-korg

84ced03172da

tpm: Use kfree_sensitive() to free auth session in tpm_dev_release()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitGunnar KudrjavetsFixed in 7.0.4via kernel-cna

commit

1 file changed · +1 −2

drivers/char/tpm/tpm-chip.c+1 −2 modified

diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c
index 0719577e584dc..12b7394b34bdc 100644
--- a/drivers/char/tpm/tpm-chip.c
+++ b/drivers/char/tpm/tpm-chip.c
@@ -247,7 +247,7 @@ static void tpm_dev_release(struct device *dev)
 	kfree(chip->work_space.context_buf);
 	kfree(chip->work_space.session_buf);
 #ifdef CONFIG_TCG_TPM2_HMAC
-	kfree(chip->auth);
+	kfree_sensitive(chip->auth);
 #endif
 	kfree(chip);
 }
-- 
cgit 1.3-korg

c424d2664f08

tpm: Use kfree_sensitive() to free auth session in tpm_dev_release()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitGunnar KudrjavetsFixed in 7.1-rc1via kernel-cna

commit

1 file changed · +1 −2

drivers/char/tpm/tpm-chip.c+1 −2 modified

diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c
index 0719577e584dc..12b7394b34bdc 100644
--- a/drivers/char/tpm/tpm-chip.c
+++ b/drivers/char/tpm/tpm-chip.c
@@ -247,7 +247,7 @@ static void tpm_dev_release(struct device *dev)
 	kfree(chip->work_space.context_buf);
 	kfree(chip->work_space.session_buf);
 #ifdef CONFIG_TCG_TPM2_HMAC
-	kfree(chip->auth);
+	kfree_sensitive(chip->auth);
 #endif
 	kfree(chip);
 }
-- 
cgit 1.3-korg

84ced03172da

tpm: Use kfree_sensitive() to free auth session in tpm_dev_release()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitGunnar Kudrjavetsvia nvd-ref

commit

1 file changed · +1 −2

drivers/char/tpm/tpm-chip.c+1 −2 modified

diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c
index 0719577e584dc..12b7394b34bdc 100644
--- a/drivers/char/tpm/tpm-chip.c
+++ b/drivers/char/tpm/tpm-chip.c
@@ -247,7 +247,7 @@ static void tpm_dev_release(struct device *dev)
 	kfree(chip->work_space.context_buf);
 	kfree(chip->work_space.session_buf);
 #ifdef CONFIG_TCG_TPM2_HMAC
-	kfree(chip->auth);
+	kfree_sensitive(chip->auth);
 #endif
 	kfree(chip);
 }
-- 
cgit 1.3-korg

c424d2664f08

tpm: Use kfree_sensitive() to free auth session in tpm_dev_release()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitGunnar Kudrjavetsvia nvd-ref

commit

1 file changed · +1 −2

drivers/char/tpm/tpm-chip.c+1 −2 modified

diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c
index 0719577e584dc..12b7394b34bdc 100644
--- a/drivers/char/tpm/tpm-chip.c
+++ b/drivers/char/tpm/tpm-chip.c
@@ -247,7 +247,7 @@ static void tpm_dev_release(struct device *dev)
 	kfree(chip->work_space.context_buf);
 	kfree(chip->work_space.session_buf);
 #ifdef CONFIG_TCG_TPM2_HMAC
-	kfree(chip->auth);
+	kfree_sensitive(chip->auth);
 #endif
 	kfree(chip);
 }
-- 
cgit 1.3-korg

dd3ac52ea7a0

tpm: Use kfree_sensitive() to free auth session in tpm_dev_release()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitGunnar Kudrjavetsvia nvd-ref

commit

1 file changed · +1 −2

drivers/char/tpm/tpm-chip.c+1 −2 modified

diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c
index dfeb28866a327..192063a200430 100644
--- a/drivers/char/tpm/tpm-chip.c
+++ b/drivers/char/tpm/tpm-chip.c
@@ -283,7 +283,7 @@ static void tpm_dev_release(struct device *dev)
 	kfree(chip->work_space.context_buf);
 	kfree(chip->work_space.session_buf);
 #ifdef CONFIG_TCG_TPM2_HMAC
-	kfree(chip->auth);
+	kfree_sensitive(chip->auth);
 #endif
 	kfree(chip);
 }
-- 
cgit 1.3-korg

53e6d2d834df

tpm: Use kfree_sensitive() to free auth session in tpm_dev_release()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitGunnar Kudrjavetsvia nvd-ref

commit

1 file changed · +1 −2

drivers/char/tpm/tpm-chip.c+1 −2 modified

diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c
index dfeb28866a327..192063a200430 100644
--- a/drivers/char/tpm/tpm-chip.c
+++ b/drivers/char/tpm/tpm-chip.c
@@ -283,7 +283,7 @@ static void tpm_dev_release(struct device *dev)
 	kfree(chip->work_space.context_buf);
 	kfree(chip->work_space.session_buf);
 #ifdef CONFIG_TCG_TPM2_HMAC
-	kfree(chip->auth);
+	kfree_sensitive(chip->auth);
 #endif
 	kfree(chip);
 }
-- 
cgit 1.3-korg

Vulnerability mechanics

Root cause

"The tpm_dev_release() function incorrectly uses kfree() instead of kfree_sensitive() to free memory containing sensitive cryptographic material."

Attack vector

An attacker with the ability to trigger the release of a TPM device can exploit this vulnerability. When the TPM device is released, the `tpm_dev_release()` function is called. This function uses `kfree()` to deallocate memory holding sensitive data, such as HMAC session keys. This leaves the sensitive data in memory until it is overwritten, potentially allowing for information disclosure if the memory is later accessed.

Affected code

The vulnerability resides in the `tpm_dev_release()` function within the file `drivers/char/tpm/tpm-chip.c`. Specifically, the line `kfree(chip->auth);` is the problematic code. This function is responsible for releasing TPM device resources, and it incorrectly uses `kfree()` for sensitive authentication data.

What the fix does

The patch replaces the use of `kfree()` with `kfree_sensitive()` in the `tpm_dev_release()` function when freeing the `chip->auth` structure [patch_id=5239467]. This change ensures that the memory containing sensitive cryptographic material, such as HMAC session keys, is zeroed out before being deallocated. This aligns with other code paths in the driver that also use `kfree_sensitive()` for similar structures, thereby preventing sensitive data from lingering in freed memory.

Preconditions

configThe `CONFIG_TCG_TPM2_HMAC` option must be enabled.

Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000