CVE-2026-46074
Analyzed Analyzed - Analysis Complete

spi: ch341 USB-to-Serial Driver Memory Leak Fix

Vulnerability report for CVE-2026-46074, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-27

Last updated on: 2026-06-24

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: spi: ch341: fix memory leaks on probe failures Make sure to deregister the controller, disable pins, and kill and free the RX URB on probe failures to mirror disconnect and avoid memory leaks and use-after-free. Also add an explicit URB kill on disconnect for symmetry (even if that is not strictly required as USB core would have stopped it in the current setup).

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-27
Last Modified
2026-06-24
Generated
2026-07-07
AI Q&A
2026-05-27
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.13 (inc) to 6.18.27 (exc)
linux linux_kernel From 6.19 (inc) to 7.0.4 (exc)
linux linux_kernel From 6.11 (inc) to 6.12.86 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-401 The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's spi: ch341 driver, where memory leaks occur during probe failures. Specifically, when the driver fails to initialize properly, it does not correctly deregister the controller, disable pins, or kill and free the RX URB (USB Request Block). This improper handling can lead to memory leaks and use-after-free issues. The fix involves ensuring these resources are properly cleaned up on probe failures and adding an explicit URB kill on disconnect for symmetry.

Impact Analysis

The impact of this vulnerability includes potential memory leaks and use-after-free conditions in the Linux kernel when using the spi: ch341 driver. Memory leaks can degrade system performance over time by consuming resources unnecessarily, while use-after-free issues can lead to system instability or crashes. In some cases, such vulnerabilities might be exploitable to cause denial of service or other unintended behavior.

Mitigation Strategies

The vulnerability involves memory leaks and use-after-free issues in the ch341 SPI driver in the Linux kernel during probe failures.

To mitigate this vulnerability, ensure your Linux kernel is updated to a version where this issue is fixed. The fix involves proper deregistration of the controller, disabling pins, and killing and freeing the RX URB on probe failures, as well as explicitly killing the URB on disconnect.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46074. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart