CVE-2026-46228 - Vulnerability Details

- spi: ch341: fix devres lifetime

Description

In the Linux kernel, the following vulnerability has been resolved:

spi: ch341: fix devres lifetime

USB drivers bind to USB interfaces and any device managed resources
should have their lifetime tied to the interface rather than parent USB
device. This avoids issues like memory leaks when drivers are unbound
without their devices being physically disconnected (e.g. on probe
deferral or configuration changes).

Fix the controller and driver data lifetime so that they are released
on driver unbind.

Note that this also makes sure that the SPI controller is placed
correctly under the USB interface in the device tree.

Published: 2026-05-28

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel's SPI driver for the CH341 controller performs device resource management incorrectly, causing resources to be tied to the USB device instead of the USB interface. When the driver is unbound, the associated resources are not released, leading to memory leaks. Over repeated rebind or probe‑deferral operations, these unfreed resources can accumulate, potentially exhausting system memory and degrading performance or triggering a denial of service. The primary weakness is a resource‑lifetime bug, which would be categorised as a memory‑leak issue.

Affected Systems

All Linux kernel releases that include the CH341 SPI driver before the commit referenced in the CVE are potentially affected. No specific version range is supplied; affected builds are any kernel that has not incorporated the fixes hosted in the linked git commits.

Risk and Exploitability

Exploit probability is not quantified (EPSS score is unavailable), and the vulnerability is not listed in CISA's KEV catalog. The risk stems from its nature as a memory leak that could be exacerbated by repeated unbinding events, which may be triggered by configuration changes or device probe deferrals. The attack vector is likely local or user‑initiated, as it requires interaction with the USB interface; it is inferred that an adversary with physical or privileged access could force unbind operations to cause the leak. No public exploit is documented, but the potential for resource exhaustion makes the vulnerability significant for long‑running or resource‑constrained systems.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`8846739f52afa07e63395c80227dc544f54bd7b1`	affected	< 4422fc2411cbbdf5104a914e0596bb483faea254
`8846739f52afa07e63395c80227dc544f54bd7b1`	affected	< 108a64b27a52f781c4f3751641e3dd65c7dd2fb5
`8846739f52afa07e63395c80227dc544f54bd7b1`	affected	< abe572f630bc1f0e77041012ab075869036ede4f

Linux

affected

Version	Status	Constraints
`6.11`	affected	—
`0`	unaffected	< 6.11
`6.18.32`	unaffected	≤ 6.18.*
`7.0.9`	unaffected	≤ 7.0.*
`7.1-rc1`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[8846739f52afa07e63395c80227dc544f54bd7b1,4422fc2411cbbdf5104a914e0596bb483faea254)`	affected	code_commit	—
`[8846739f52afa07e63395c80227dc544f54bd7b1,108a64b27a52f781c4f3751641e3dd65c7dd2fb5)`	affected	code_commit	—
`[8846739f52afa07e63395c80227dc544f54bd7b1,abe572f630bc1f0e77041012ab075869036ede4f)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.11`	affected	generic	—
`[0,6.11)`	unaffected	generic	—
`[6.18.32,6.19.0)`	unaffected	semver	—
`[7.0.9,7.1.0)`	unaffected	semver	—
`[7.1-rc1,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply a kernel version that includes the CH341 resource‑lifetime fix, as referenced in the linked git commits.
If an up‑to‑date kernel is unavailable, backport the commit(s) that adjust devres lifetime and rebuild the kernel.
Verify that the device tree correctly places the SPI controller under the USB interface so that the lifetime semantics are respected.

Generated by OpenCVE AI on May 28, 2026 at 12:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00017.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/108a64b27a52f781c4f3751641e3dd65c7dd2fb5
https://git.kernel.org/stable/c/4422fc2411cbbdf5104a914e0596bb483faea254
https://git.kernel.org/stable/c/abe572f630bc1f0e77041012ab075869036ede4f

History

Thu, 28 May 2026 12:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-401

Thu, 28 May 2026 10:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: spi: ch341: fix devres lifetime USB drivers bind to USB interfaces and any device managed resources should have their lifetime tied to the interface rather than parent USB device. This avoids issues like memory leaks when drivers are unbound without their devices being physically disconnected (e.g. on probe deferral or configuration changes). Fix the controller and driver data lifetime so that they are released on driver unbind. Note that this also makes sure that the SPI controller is placed correctly under the USB interface in the device tree.
Title		spi: ch341: fix devres lifetime
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/108a64b27a52f781c4f3751641e3dd65c7dd2fb5 https://git.kernel.org/stable/c/4422fc2411cbbdf5104a914e0596bb483faea254 https://git.kernel.org/stable/c/abe572f630bc1f0e77041012ab075869036ede4f

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-28T09:40:48.689Z

Updated: 2026-05-28T09:40:48.689Z

Reserved: 2026-05-13T15:03:33.106Z

Link: CVE-2026-46228

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-28T10:16:38.433

Modified: 2026-05-28T13:44:01.663

Link: CVE-2026-46228

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-28T15:45:19Z

Weaknesses

CWE-401

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object