What is GHSA-qpf5-pj4j-j3vf?

GHSA-qpf5-pj4j-j3vf is a security advisory published by GitHub Security Advisories with unknown severity. In the Linux kernel, the following vulnerability has been resolved: spi: ch341: fix devres...

Which CVE IDs does GHSA-qpf5-pj4j-j3vf cover?

GHSA-qpf5-pj4j-j3vf covers the following CVE IDs: CVE-2026-46228. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

GHSA-qpf5-pj4j-j3vfunknown

In the Linux kernel, the following vulnerability has been resolved: spi: ch341: fix devres...

Vendor

GitHub Security Advisories

Published

May 28, 2026

Last Modified

May 28, 2026

🔗 CVE IDs covered (1)

CVE-2026-46228 →

📋 Description

In the Linux kernel, the following vulnerability has been resolved:

spi: ch341: fix devres lifetime

USB drivers bind to USB interfaces and any device managed resources should have their lifetime tied to the interface rather than parent USB device. This avoids issues like memory leaks when drivers are unbound without their devices being physically disconnected (e.g. on probe deferral or configuration changes).

Fix the controller and driver data lifetime so that they are released on driver unbind.

Note that this also makes sure that the SPI controller is placed correctly under the USB interface in the device tree.

🔗 References (5)

https://nvd.nist.gov/vuln/detail/CVE-2026-46228
https://git.kernel.org/stable/c/108a64b27a52f781c4f3751641e3dd65c7dd2fb5
https://git.kernel.org/stable/c/4422fc2411cbbdf5104a914e0596bb483faea254
https://git.kernel.org/stable/c/abe572f630bc1f0e77041012ab075869036ede4f
https://github.com/advisories/GHSA-qpf5-pj4j-j3vf