MEDIUM 5.5

CVE-2026-46228: Linux Kernel CH341 SPI Driver Memory Leak (CVSS 5.5)

A memory management flaw in the Linux kernel's SPI CH341 USB driver can cause memory to persist after the driver is unloaded, potentially leading to denial of service. The issue arises because device resources tied to a USB driver are incorrectly managed at the parent device level rather than at the individual interface level, preventing proper cleanup when drivers unbind without physical device disconnection.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-401
Affected products
1 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: spi: ch341: fix devres lifetime USB drivers bind to USB interfaces and any device managed resources should have their lifetime tied to the interface rather than parent USB device. This avoids issues like memory leaks when drivers are unbound without their devices being physically disconnected (e.g. on probe deferral or configuration changes). Fix the controller and driver data lifetime so that they are released on driver unbind. Note that this also makes sure that the SPI controller is placed correctly under the USB interface in the device tree.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-46228 addresses a device resource lifetime bug in the Linux kernel's ch341 SPI driver (drivers/spi/spi-ch341.c). USB drivers should use devres (device-managed resources) with their bound interface as the lifetime anchor, not the parent USB device. When a driver unbinds—such as during probe deferral or configuration changes—resources tied to the parent device are not released, violating the device tree hierarchy and leaving dangling references. The fix ensures the SPI controller device and associated driver data are properly deallocated during driver unbind operations, restoring correct resource ownership within the USB device hierarchy.

Business impact

This vulnerability presents a localized denial-of-service risk on systems running affected Linux kernel versions where the CH341 SPI adapter is in use and undergoes driver rebinding operations. Memory leaks accumulate with each unbind-rebind cycle, eventually exhausting available memory and degrading system stability. Organizations relying on CH341-based SPI hardware for embedded systems, IoT deployments, or USB peripheral management should prioritize assessment, particularly in environments with frequent driver reloading or hot-plugging scenarios.

Affected systems

The vulnerability affects the Linux kernel across all distributions and versions prior to the fix. The specific attack surface is limited to systems with active CH341 USB-to-SPI adapters and scenarios triggering driver unbind without physical device removal—most commonly probe deferrals, system reconfiguration, or driver reload during development and testing. Enterprise servers and standard workstations without such hardware are unaffected; the risk is concentrated in embedded Linux, IoT, and specialized USB peripheral environments.

Exploitability

Exploitation requires local access and the ability to trigger driver unbind operations (e.g., via sysfs or udev rule changes). No remote exploitation vector exists. The attack is not trivial and requires either administrative capability or unprivileged user access to driver-control interfaces. Real-world exploitation is limited to scenarios where an attacker has shell access and explicit control over USB driver binding state.

Remediation

Apply the kernel patch that corrects devres lifetime binding for the CH341 SPI driver. The fix realigns resource ownership so that controller and driver data are tied to the USB interface rather than the parent device, ensuring cleanup on driver unbind. Verify the patch is included in your kernel version by checking git logs for the ch341 driver fixes post-2026-06-17.

Patch guidance

Obtain and apply the upstream Linux kernel patch addressing SPI CH341 devres lifetime (merged after 2026-06-17). Check your distribution's kernel update schedule to determine when the fix will be available in stable releases. For users on LTS kernels, verify with your distribution's security advisories and stable kernel backports. If running a custom kernel, pull the fix from the mainline Linux repository or apply the upstream patch directly. Verify patch application by confirming the SPI controller is listed under the USB interface in /sys/bus/usb/devices/ device tree output post-reboot.

Detection guidance

Monitor for repeated driver unbind/rebind cycles on CH341 SPI devices using sysfs logging or custom udev rules. Kernel memory consumption patterns showing non-reclaimed allocation during driver lifecycle transitions may indicate the vulnerability. On affected systems, observe dmesg for resource warnings or memory pressure events coinciding with SPI driver state changes. No userspace detection method is definitive; kernel instrumentation or memory profiling is required for confirmation.

Why prioritize this

While the CVSS score of 5.5 (Medium) reflects limited attack surface and local-only access requirements, the fix is straightforward and kernel updates should be applied as part of routine patching. Prioritize systems where CH341 adapters are deployed and driver reloading is common (development labs, IoT deployments). Standard servers without USB SPI peripherals can defer this update to the next scheduled maintenance window.

Risk score, explained

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H scores 5.5 because the vulnerability requires local access (AV:L), involves low attack complexity (AC:L), demands low privilege (PR:L) but not unauthorized user exploitation, has no user interaction requirement (UI:N), is scoped to a single user context (S:U), offers no confidentiality or integrity impact (C:N/I:N), but delivers high availability impact through memory exhaustion (A:H). The score appropriately reflects a localized denial-of-service risk without broader system compromise.

Frequently asked questions

Does this vulnerability affect my system if I don't use CH341 USB SPI adapters?

No. The vulnerability is specific to the ch341 SPI driver in the Linux kernel. If your systems do not have CH341 hardware or have no SPI USB adapters, you are unaffected. Standard servers, workstations, and devices without this hardware are not at risk.

Can this vulnerability be exploited remotely?

No. The vulnerability requires local access and the ability to trigger driver unbind operations, typically through sysfs manipulation or udev reconfiguration. Remote exploitation is not possible.

What is the real-world impact of the memory leak?

Memory is not reclaimed when the CH341 SPI driver unbinds. In environments where the driver is frequently reloaded (such as development, testing, or hot-swap scenarios), memory leaks accumulate over time. Sustained attacks or repeated rebind cycles can exhaust memory and cause system denial of service.

When should I apply this patch?

Apply the patch as part of your next kernel update cycle. If you actively use CH341 adapters and frequently reload drivers, prioritize updating sooner. For most enterprise environments without such hardware, standard patch timing is acceptable. Check your distribution's security advisories for specific guidance.

This analysis is based on publicly available vulnerability data current as of the publication date. While efforts have been made to ensure accuracy, SEC.co makes no warranty regarding completeness or applicability to specific environments. Security teams should validate all information against official vendor advisories, kernel release notes, and distribution-specific security bulletins before making remediation decisions. The vulnerability requires local access and affects only systems with CH341 SPI hardware; risk assessment should be tailored to your infrastructure. Consult your organization's change management and patch testing procedures before deploying kernel updates to production systems. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).