CVE-2026-46228 - Vulnerability Details

- spi: ch341: fix devres lifetime

Description

In the Linux kernel, the following vulnerability has been resolved:

spi: ch341: fix devres lifetime

USB drivers bind to USB interfaces and any device managed resources
should have their lifetime tied to the interface rather than parent USB
device. This avoids issues like memory leaks when drivers are unbound
without their devices being physically disconnected (e.g. on probe
deferral or configuration changes).

Fix the controller and driver data lifetime so that they are released
on driver unbind.

Note that this also makes sure that the SPI controller is placed
correctly under the USB interface in the device tree.

Published: 2026-05-28

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel's SPI driver for the CH341 controller performs device resource management incorrectly, causing resources to be tied to the USB device instead of the USB interface. When the driver is unbound, the associated resources are not released, leading to memory leaks. Over repeated rebind or probe‑deferral operations, these unfreed resources can accumulate, potentially exhausting system memory and degrading performance or triggering a denial of service. The primary weakness is a resource‑lifetime bug, which would be categorised as a memory‑leak issue.

Affected Systems

All Linux kernel releases that include the CH341 SPI driver before the commit referenced in the CVE are potentially affected. No specific version range is supplied; affected builds are any kernel that has not incorporated the fixes hosted in the linked git commits.

Risk and Exploitability

Exploit probability is very low, with an EPSS score of less than 1%, and the vulnerability is not listed in CISA's KEV catalog. The CVSS score is 5.5, indicating moderate risk. The risk stems from its nature as a memory leak that could be exacerbated by repeated unbinding operations, which may be triggered by configuration changes or device probe deferrals. The attack vector is likely local or user‑initiated, as it requires interaction with the USB interface; it is inferred that an adversary with physical or privileged access could force unbind operations to cause the leak. No public exploit is documented, but the potential for resource exhaustion makes the vulnerability significant for long‑running or resource‑constrained systems.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`8846739f52afa07e63395c80227dc544f54bd7b1`	affected	< 4422fc2411cbbdf5104a914e0596bb483faea254
`8846739f52afa07e63395c80227dc544f54bd7b1`	affected	< 108a64b27a52f781c4f3751641e3dd65c7dd2fb5
`8846739f52afa07e63395c80227dc544f54bd7b1`	affected	< abe572f630bc1f0e77041012ab075869036ede4f

Linux

affected

Version	Status	Constraints
`6.11`	affected	—
`0`	unaffected	< 6.11
`6.18.32`	unaffected	≤ 6.18.*
`7.0.9`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[8846739f52afa07e63395c80227dc544f54bd7b1,4422fc2411cbbdf5104a914e0596bb483faea254)`	affected	code_commit	—
`[8846739f52afa07e63395c80227dc544f54bd7b1,108a64b27a52f781c4f3751641e3dd65c7dd2fb5)`	affected	code_commit	—
`[8846739f52afa07e63395c80227dc544f54bd7b1,abe572f630bc1f0e77041012ab075869036ede4f)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.11`	affected	generic	—
`[0,6.11)`	unaffected	generic	—
`[6.18.32,6.19.0)`	unaffected	semver	—
`[7.0.9,7.1.0)`	unaffected	semver	—
`[7.1-rc1,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply a kernel version that includes the CH341 resource‑lifetime fix, as referenced in the linked git commits.
If an up‑to‑date kernel is unavailable, backport the commit(s) that adjust devres lifetime and rebuild the kernel.
Verify that the device tree correctly places the SPI controller under the USB interface so that the lifetime semantics are respected.

Generated by OpenCVE AI on June 10, 2026 at 22:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00117.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/108a64b27a52f781c4f3751641e3dd65c7dd2fb5
https://git.kernel.org/stable/c/4422fc2411cbbdf5104a914e0596bb483faea254
https://git.kernel.org/stable/c/abe572f630bc1f0e77041012ab075869036ede4f
https://lore.kernel.org/linux-cve-announce/2026052839-CVE-2026-46228-6650@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-46228
https://www.cve.org/CVERecord?id=CVE-2026-46228

History

Wed, 10 Jun 2026 21:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-401
Metrics		cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Fri, 29 May 2026 03:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-401

Fri, 29 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-772
References		https://lore.kernel.org/linux-cve-announce/2026052839-CVE-2026-46228-6650@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-46228 https://www.cve.org/CVERecord?id=CVE-2026-46228

Thu, 28 May 2026 12:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-401

Thu, 28 May 2026 10:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: spi: ch341: fix devres lifetime USB drivers bind to USB interfaces and any device managed resources should have their lifetime tied to the interface rather than parent USB device. This avoids issues like memory leaks when drivers are unbound without their devices being physically disconnected (e.g. on probe deferral or configuration changes). Fix the controller and driver data lifetime so that they are released on driver unbind. Note that this also makes sure that the SPI controller is placed correctly under the USB interface in the device tree.
Title		spi: ch341: fix devres lifetime
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/108a64b27a52f781c4f3751641e3dd65c7dd2fb5 https://git.kernel.org/stable/c/4422fc2411cbbdf5104a914e0596bb483faea254 https://git.kernel.org/stable/c/abe572f630bc1f0e77041012ab075869036ede4f

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-28T09:40:48.689Z

Updated: 2026-06-14T18:04:11.974Z

Reserved: 2026-05-13T15:03:33.106Z

Link: CVE-2026-46228

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-05-28T10:16:38.433

Modified: 2026-06-10T21:12:31.397

Link: CVE-2026-46228

Redhat

Severity :

Publid Date: 2026-05-28T00:00:00Z

Links: CVE-2026-46228 - Bugzilla

OpenCVE Enrichment

Updated: 2026-06-10T22:45:27Z

Weaknesses

CWE-401
Missing Release of Memory after Effective Lifetime
CWE-772
Missing Release of Resource after Effective Lifetime

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object