CVE-2026-23207

EUVD-2026-5838

14.02.2026, 17:15

In the Linux kernel, the following vulnerability has been resolved:

spi: tegra210-quad: Protect curr_xfer check in IRQ handler

Now that all other accesses to curr_xfer are done under the lock,
protect the curr_xfer NULL check in tegra_qspi_isr_thread() with the
spinlock. Without this protection, the following race can occur:

  CPU0 (ISR thread)              CPU1 (timeout path)
  ----------------               -------------------
  if (!tqspi->curr_xfer)
    // sees non-NULL
                                 spin_lock()
                                 tqspi->curr_xfer = NULL
                                 spin_unlock()
  handle_*_xfer()
    spin_lock()
    t = tqspi->curr_xfer  // NULL!
    ... t->len ...        // NULL dereference!

With this patch, all curr_xfer accesses are now properly synchronized.

Although all accesses to curr_xfer are done under the lock, in
tegra_qspi_isr_thread() it checks for NULL, releases the lock and
reacquires it later in handle_cpu_based_xfer()/handle_dma_based_xfer().
There is a potential for an update in between, which could cause a NULL
pointer dereference.

To handle this, add a NULL check inside the handlers after acquiring
the lock. This ensures that if the timeout path has already cleared
curr_xfer, the handler will safely return without dereferencing the
NULL pointer.

Race Condition

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	4.7 MEDIUM	LOCAL	HIGH	LOW	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 2%

Affected Products (NVD)

Vendor	Product	Version
linux	linux_kernel	5.15.198 ≤ 𝑥 < 5.16
linux	linux_kernel	6.1.160 ≤ 𝑥 < 6.2
linux	linux_kernel	6.6.120 ≤ 𝑥 < 6.7
linux	linux_kernel	6.12.63 ≤ 𝑥 < 6.13
linux	linux_kernel	6.17.13 ≤ 𝑥 < 6.18
linux	linux_kernel	6.18.2 ≤ 𝑥 < 6.18.10
linux	linux_kernel	6.19:rc1
linux	linux_kernel	6.19:rc2
linux	linux_kernel	6.19:rc3
linux	linux_kernel	6.19:rc4
linux	linux_kernel	6.19:rc5
linux	linux_kernel	6.19:rc6
linux	linux_kernel	6.19:rc7
linux	linux_kernel	6.19:rc8

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bookworm	vulnerable
bookworm (security)	vulnerable
bullseye	5.10.223-1 fixed
bullseye (security)	5.10.251-5 fixed
forky	7.0.7-1 fixed
sid	7.0.7-1 fixed
trixie	6.12.86-1 fixed
trixie (security)	6.12.88-1 fixed

openSUSE / SLES Releases

openSUSE Product

Release

cluster-md-kmp-default

suse enterprise server 15 SP6

6.4.0-150600.23.92.1

fixed

dlm-kmp-default

suse enterprise server 15 SP6

6.4.0-150600.23.92.1

fixed

gfs2-kmp-default

suse enterprise server 15 SP6

6.4.0-150600.23.92.1

fixed

kernel-64kb

suse enterprise desktop 15 SP7	6.4.0-150700.53.34.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.34.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.92.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.34.1 fixed

kernel-azure

suse enterprise sap 15 SP7	6.4.0-150700.53.34.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.34.1 fixed

kernel-default

suse enterprise desktop 15 SP7	6.4.0-150700.53.34.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.34.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.92.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.34.1 fixed

kernel-default-base

suse enterprise desktop 15 SP7	6.4.0-150700.53.34.1.150700.17.23.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.34.1.150700.17.23.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.92.1.150600.12.42.2 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.34.1.150700.17.23.1 fixed

kernel-docs

suse enterprise desktop 15 SP7	6.4.0-150700.53.34.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.34.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.92.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.34.1 fixed

kernel-macros

suse enterprise desktop 15 SP7	6.4.0-150700.53.34.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.34.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.92.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.34.1 fixed

kernel-obs-build

suse enterprise desktop 15 SP7	6.4.0-150700.53.34.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.34.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.92.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.34.1 fixed

kernel-source

suse enterprise desktop 15 SP7	6.4.0-150700.53.34.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.34.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.92.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.34.1 fixed

kernel-syms

suse enterprise desktop 15 SP7	6.4.0-150700.53.34.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.34.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.92.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.34.1 fixed

kernel-zfcpdump

suse enterprise desktop 15 SP7	6.4.0-150700.53.34.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.34.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.92.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.34.1 fixed

ocfs2-kmp-default

suse enterprise server 15 SP6

6.4.0-150600.23.92.1

fixed

reiserfs-kmp-default

suse enterprise server 15 SP6

6.4.0-150600.23.92.1

fixed

Common Weakness Enumeration

CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
The program contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.

References

https://git.kernel.org/stable/c/2ac3a105e51496147c0e44e49466eecfcc532d57

https://git.kernel.org/stable/c/84e926c1c272a35ddb9b86842d32fa833a60dfc7

https://git.kernel.org/stable/c/edf9088b6e1d6d88982db7eb5e736a0e4fbcc09e