CVE-2026-46228 Overview
CVE-2026-46228 affects the Linux kernel spi: ch341 driver, where device-managed resources were incorrectly tied to the parent USB device instead of the USB interface. USB drivers bind to USB interfaces, so resources scoped to the parent device persist beyond driver unbind events. This mismatch can produce memory leaks when the driver is unbound without the physical device being disconnected, such as during probe deferral or USB configuration changes. The fix re-scopes the controller and driver data lifetime to the USB interface, ensuring proper release on unbind and correctly placing the SPI controller under the USB interface in the device tree.
Critical Impact
Incorrect devres lifetime in the ch341 SPI driver causes kernel memory leaks on driver unbind, degrading system stability over time on hosts using CH341-based USB-to-SPI adapters.
Affected Products
- Linux kernel versions containing the spi-ch341 USB-to-SPI driver prior to the fix
- Systems using CH341 USB-to-SPI bridge adapters
- Distributions shipping the affected upstream kernel revisions
Discovery Timeline
- 2026-05-28 - CVE-2026-46228 published to NVD
- 2026-05-28 - Last updated in NVD database
Technical Details for CVE-2026-46228
Vulnerability Analysis
The vulnerability resides in the spi-ch341 driver, which provides Serial Peripheral Interface (SPI) controller support over a CH341 USB bridge. USB drivers in the Linux kernel bind to USB interfaces rather than the parent USB device. Device-managed (devres) allocations must therefore use the interface as the parent so that the kernel releases them when the driver unbinds from that interface.
In the affected code, the SPI controller and associated driver data were allocated with the parent USB device as the devres anchor. As a result, those allocations were not freed when the driver was unbound while the USB device remained enumerated. This commonly occurs during probe deferral, when configuration changes trigger re-probe, or when the driver is manually unbound through sysfs. Each unbind/rebind cycle leaks the controller structure and related driver state, with [CWE-401] memory leak semantics.
A secondary consequence is incorrect device tree topology: the SPI controller appeared under the USB device instead of the USB interface, which can confuse userspace tools and sysfs consumers.
Root Cause
The root cause is incorrect parent selection for devm_* allocations in the ch341 SPI driver. Tying device-managed resources to the USB device rather than the USB interface decouples their lifetime from the driver's bind state on the interface.
Attack Vector
This is a local reliability issue rather than a remotely exploitable flaw. Triggering the leak requires the ability to cause repeated bind/unbind cycles of the spi-ch341 driver, for example through sysfs bind/unbind writes or repeated probe deferral conditions, on a system with a CH341 USB-to-SPI adapter attached. See the upstream commits referenced below for the corrected resource ownership.
The vulnerability is described in prose because no verified proof-of-concept code is published. Refer to the Git Kernel Commit 108a64b, Git Kernel Commit 4422fc2, and Git Kernel Commit abe572f for the applied fixes.
Detection Methods for CVE-2026-46228
Indicators of Compromise
- Growing kernel slab usage attributable to spi-ch341 allocations across driver bind/unbind cycles.
- Presence of CH341 USB devices (USB vendor/product 1a86:5512) on hosts running an unpatched kernel.
- SPI controller nodes in sysfs appearing under the USB device rather than the USB interface.
Detection Strategies
- Compare the running kernel version against the fixed commits referenced in the NVD entry to confirm exposure.
- Use kmemleak or slabtop to identify retained allocations after unbinding spi-ch341 from an attached CH341 adapter.
- Inspect /sys/bus/usb/drivers/spi-ch341/ and the device tree path of the resulting SPI controller to verify correct interface parenting.
Monitoring Recommendations
- Track kernel memory growth on systems that hot-plug or re-probe CH341-based SPI adapters in development or lab environments.
- Alert on repeated spi-ch341 probe deferral messages in dmesg, which can accelerate leak accumulation.
- Inventory endpoints and embedded hosts using CH341 USB-to-SPI bridges to scope patch deployment.
How to Mitigate CVE-2026-46228
Immediate Actions Required
- Upgrade to a Linux kernel that includes the upstream fixes referenced by commits 108a64b, 4422fc2, and abe572f.
- On systems that cannot patch immediately, avoid repeated bind/unbind cycles of the spi-ch341 driver.
- Restrict local user access to sysfs driver bind/unbind interfaces, which require CAP_SYS_ADMIN.
Patch Information
The issue is resolved upstream in the Linux kernel. Apply a distribution kernel update that incorporates the commits listed in the NVD references: Git Kernel Commit 108a64b, Git Kernel Commit 4422fc2, and Git Kernel Commit abe572f. The fix changes devres allocations in spi-ch341 to use the USB interface as the parent device.
Workarounds
- Unload the spi-ch341 module entirely (rmmod spi_ch341) when the adapter is not in active use to release accumulated allocations.
- Physically disconnect CH341 adapters rather than triggering driver unbind via sysfs on unpatched kernels.
- Limit configurations that cause probe deferral on the USB subsystem to reduce leak frequency until patching completes.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
