Skip to main content

Linux Kernel CVE-2026-46074

| EUVDEUVD-2026-32456 MEDIUM
Memory Leak (CWE-401)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-rv45-g592-f3p6
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local access and CH341 USB device required; low privilege sufficient via automatic module load; no confidentiality or integrity impact confirmed.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
6.1 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 24, 2026 - 17:10 vuln.today
CVSS changed
Jun 24, 2026 - 17:07 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

spi: ch341: fix memory leaks on probe failures

Make sure to deregister the controller, disable pins, and kill and free the RX URB on probe failures to mirror disconnect and avoid memory leaks and use-after-free.

Also add an explicit URB kill on disconnect for symmetry (even if that is not strictly required as USB core would have stopped it in the current setup).

AnalysisAI

Memory leak and potential use-after-free in the Linux kernel's spi-ch341 USB driver expose systems to local denial-of-service when CH341 device probe failures occur without proper resource cleanup. Kernels from the commit introducing the spi-ch341 driver (8846739f52afa07e63395c80227dc544f54bd7b1) through the respective stable-branch fix commits across the 6.11 through 7.0 lineages are affected. Repeated probe failures accumulate leaked kernel memory that can exhaust system resources; no active exploitation is identified (EPSS 0.02%, no CISA KEV listing), placing this firmly in the maintenance-priority rather than incident-response category.

Technical ContextAI

The CH341 is a WinChipHead USB multi-function chip providing SPI, I2C, and UART interfaces, widely used in embedded development hardware and USB-to-SPI adapters. The Linux kernel's spi-ch341 driver manages the USB device lifecycle via probe() and disconnect() callbacks. CWE-401 (Missing Release of Memory after Effective Lifetime) manifests because the probe() error path failed to symmetrically mirror the disconnect() path: on initialization failure, the driver exited without deregistering the SPI controller, disabling GPIO pins, or killing and freeing the RX URB (USB Request Block). The disconnect() path performed these cleanups, creating a resource-management asymmetry. The absence of an explicit URB kill on disconnect further introduced a theoretical use-after-free window. The affected CPE is cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* across multiple stable series, with fix commits published to the kernel stable tree.

RemediationAI

The primary fix is to upgrade to a patched kernel version: Linux 6.12.86, 6.18.27, 7.0.4, or 7.1-rc1 per EUVD. The upstream fix commits are available directly at https://git.kernel.org/stable/c/5c6518633702d7f7b1153e9d8e042af847f11ef3, https://git.kernel.org/stable/c/9bee2faf9e21c796d0d222c9d84a98f41bd303a0, https://git.kernel.org/stable/c/b99e3ddb91b499d920e63a2daff8880be68cfe9e, and https://git.kernel.org/stable/c/ff8a7996dc8bf433efe2126ffdaee5b374a89e30. For systems that cannot be immediately patched, adding 'blacklist spi-ch341' to /etc/modprobe.d/blacklist.conf prevents the driver from loading automatically on CH341 device attachment; the trade-off is that CH341 SPI functionality becomes unavailable for connected hardware. Additionally, enforcing USB device authorization policies (via the Linux USB authorization framework or udev rules) to block unrecognized USB devices limits the attack surface at the cost of operational overhead for legitimate USB device management. No formal vendor advisory URL beyond kernel.org git references is available.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected

Share

CVE-2026-46074 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy