CVE-2026-46083 - Vulnerability Details

- spi: fix resource leaks on device setup failure

Description

In the Linux kernel, the following vulnerability has been resolved:

spi: fix resource leaks on device setup failure

Make sure to call controller cleanup() if spi_setup() fails while
registering a device to avoid leaking any resources allocated by
setup().

Published: 2026-05-27

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

In the Linux kernel, the failure to call controller cleanup on spi_setup failure results in leaking resources allocated during device setup. The resulting resource exhaustion can degrade kernel stability and lead to a denial of service. This weakness falls under resource management errors.

Affected Systems

All systems running the Linux kernel are potentially impacted, as the vulnerability is not limited to a specific version or distribution. Vendors identified are Linux, Linux, and the affected product is the Linux kernel itself. No version constraints are provided.

Risk and Exploitability

The vulnerability requires an attacker to trigger an spi_setup failure for a device in the kernel, which typically demands local user privileges or a compromised kernel process. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. Consequently, while the possibility of exploitation exists, it is limited to scenarios where an attacker can invoke the problematic device setup path. The overall risk is moderate, emphasizing the importance of keeping the kernel updated.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`c7299fea67696db5bd09d924d1f1080d894f92ef`	affected	< a2c817c629430fbbd54273525b472dac96e2c8fd
`c7299fea67696db5bd09d924d1f1080d894f92ef`	affected	< 1e774294b2f944f59e03a04eb438768a4b93c3ce
`c7299fea67696db5bd09d924d1f1080d894f92ef`	affected	< 11baa8b24bcb07ae2048f2566a220021d766abe0
`c7299fea67696db5bd09d924d1f1080d894f92ef`	affected	< dbcead54b12468d9aa54c0e1f0042d838ec3b0ae
`c7299fea67696db5bd09d924d1f1080d894f92ef`	affected	< db357034f7e0cf23f233f414a8508312dfe8fbbe
`3e7c190475d98099231ee8ae486d31b1e2e7535a`	affected	—
`4b8b7bc3a726268e5c15d9bafe27863a85fdfc8e`	affected	—
`e92ac9263b06c39f05526ad15c90d228cdab60fd`	affected	—
`5.4.126`	affected	< 5.5
`5.10.44`	affected	< 5.11
`5.12.11`	affected	< 5.13

Linux

affected

Version	Status	Constraints
`5.13`	affected	—
`0`	unaffected	< 5.13
`6.6.140`	unaffected	≤ 6.6.*
`6.12.86`	unaffected	≤ 6.12.*
`6.18.27`	unaffected	≤ 6.18.*
`7.0.4`	unaffected	≤ 7.0.*
`7.1-rc1`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the kernel update that includes the spi cleanup fix
If a patch is not yet available, disable or remove vulnerable SPI devices from the system configuration
Continuously monitor system memory and resource usage, and restart affected services or the system if abnormal consumption is detected

Generated by OpenCVE AI on May 27, 2026 at 17:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/11baa8b24bcb07ae2048f2566a220021d766abe0
https://git.kernel.org/stable/c/1e774294b2f944f59e03a04eb438768a4b93c3ce
https://git.kernel.org/stable/c/a2c817c629430fbbd54273525b472dac96e2c8fd
https://git.kernel.org/stable/c/db357034f7e0cf23f233f414a8508312dfe8fbbe
https://git.kernel.org/stable/c/dbcead54b12468d9aa54c0e1f0042d838ec3b0ae

History

Wed, 27 May 2026 18:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-368

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: spi: fix resource leaks on device setup failure Make sure to call controller cleanup() if spi_setup() fails while registering a device to avoid leaking any resources allocated by setup().
Title		spi: fix resource leaks on device setup failure
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/11baa8b24bcb07ae2048f2566a220021d766abe0 https://git.kernel.org/stable/c/1e774294b2f944f59e03a04eb438768a4b93c3ce https://git.kernel.org/stable/c/a2c817c629430fbbd54273525b472dac96e2c8fd https://git.kernel.org/stable/c/db357034f7e0cf23f233f414a8508312dfe8fbbe https://git.kernel.org/stable/c/dbcead54b12468d9aa54c0e1f0042d838ec3b0ae

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:58:23.376Z

Updated: 2026-05-27T12:58:23.376Z

Reserved: 2026-05-13T15:03:33.096Z

Link: CVE-2026-46083

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:29.723

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-46083

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-27T18:00:15Z

Weaknesses

CWE-368

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object