CVE-2026-46228

Published: June 2, 2026Last modified: June 2, 2026

Description

In the Linux kernel, the following vulnerability has been resolved: spi: ch341: fix devres lifetime USB drivers bind to USB interfaces and any device managed resources should have their lifetime tied to the interface rather than parent USB device. This avoids issues like memory leaks when drivers are unbound without their devices being physically disconnected (e.g. on probe deferral or configuration changes). Fix the controller and driver data lifetime so that they are released on driver unbind. Note that this also makes sure that the SPI controller is placed correctly under the USB interface in the device tree.

Status

Product	Release	Package	Status
Alpaquita Linux	23 LTS	linux-lts	Not affected (6.1.33-r0)
	25 LTS	linux-lts	Vulnerable (6.12.87-r0)
	Stream	linux-lts	Vulnerable (6.12.87-r0)

References

https://git.kernel.org/stable/c/108a64b27a52f781c4f3751641e3dd65c7dd2fb5
https://git.kernel.org/stable/c/4422fc2411cbbdf5104a914e0596bb483faea254
https://git.kernel.org/stable/c/abe572f630bc1f0e77041012ab075869036ede4f