Description
In the Linux kernel, the following vulnerability has been resolved:

spi: fix resource leaks on device setup failure

Make sure to call controller cleanup() if spi_setup() fails while
registering a device to avoid leaking any resources allocated by
setup().
Published: 2026-05-27
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the Linux kernel, the spi_setup call fails to invoke controller cleanup when a device registration cannot be completed. The missing cleanup results in resources that were allocated during the partial setup remaining resident in kernel memory. The overflow of unreleased resources can, over time, exhaust kernel memory or other critical resources, potentially destabilizing the kernel and leading to a denial of service. The flaw corresponding to the CWE‑772 weakness class.

Affected Systems

All Linux kernel‑based systems are affected because the vulnerability resides in the core kernel SPI subsystem. No specific kernel version is listed, so any system running a Linux kernel that does not include the spi cleanup fix may be vulnerable.

Risk and Exploitability

Based on the description, it is inferred that the exploit requires an attacker to trigger a spi_setup failure, which generally means influencing device registration within the kernel, typically achievable with local user privileges or by compromising a kernel process. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The CVSS score of 5.5 indicates a moderate severity, suggesting that repeated exploitation could deplete system resources and degrade availability. Based on the description, it is inferred that the overall risk remains moderate but can become significant for attackers with kernel‑level or local control.

Generated by OpenCVE AI on May 28, 2026 at 06:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the kernel to a release that includes the spi cleanup fix
  • If a patch is not yet available, disable or remove vulnerable SPI device drivers or modules from the system configuration
  • Continuously monitor kernel memory and resource usage for abnormal consumption and restart services or the system if necessary

Generated by OpenCVE AI on May 28, 2026 at 06:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 04:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-368

Thu, 28 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-772
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low

Wed, 27 May 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-368

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: spi: fix resource leaks on device setup failure Make sure to call controller cleanup() if spi_setup() fails while registering a device to avoid leaking any resources allocated by setup().
Title spi: fix resource leaks on device setup failure
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T17:53:05.346Z

Reserved: 2026-05-13T15:03:33.096Z

Link: CVE-2026-46083

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:29.723

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-46083

cve-icon Redhat

Severity : Low

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-46083 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T06:15:10Z

Weaknesses
  • CWE-772

    Missing Release of Resource after Effective Lifetime