CVE-2026-46228 Linux CVE debrief

Who should care

System administrators managing Linux systems with CH341 USB-to-SPI adapters; embedded systems developers using CH341-based hardware; kernel maintainers tracking stable branch updates

Technical summary

The CH341 USB-to-SPI driver in the Linux kernel incorrectly managed device resource lifetimes by binding them to the parent USB device instead of the USB interface. This caused memory leaks during driver unbind scenarios like probe deferral or configuration changes. The fix corrects the controller and driver data lifetime to release on driver unbind and ensures proper device tree placement of the SPI controller under the USB interface.

Defensive priority

medium

Recommended defensive actions

• Review systems using CH341 USB-to-SPI adapters and apply kernel updates containing the referenced commits
• Monitor kernel stable releases for inclusion of this fix
• Verify SPI controller device tree placement on affected systems after driver updates

Evidence notes

The CVE description and source references confirm this is a memory management fix in the Linux kernel's spi: ch341 driver. The fix addresses devres lifetime issues by binding resources to the USB interface rather than the parent USB device. Three kernel.org stable commits are provided as references.

Official resources