CVE-2026-31485

EUVD-2026-24849

22.04.2026, 14:16

In the Linux kernel, the following vulnerability has been resolved:

spi: spi-fsl-lpspi: fix teardown order issue (UAF)

There is a teardown order issue in the driver. The SPI controller is
registered using devm_spi_register_controller(), which delays
unregistration of the SPI controller until after the fsl_lpspi_remove()
function returns.

As the fsl_lpspi_remove() function synchronously tears down the DMA
channels, a running SPI transfer triggers the following NULL pointer
dereference due to use after free:

| fsl_lpspi 42550000.spi: I/O Error in DMA RX
| Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
[...]
| Call trace:
|  fsl_lpspi_dma_transfer+0x260/0x340 [spi_fsl_lpspi]
|  fsl_lpspi_transfer_one+0x198/0x448 [spi_fsl_lpspi]
|  spi_transfer_one_message+0x49c/0x7c8
|  __spi_pump_transfer_message+0x120/0x420
|  __spi_sync+0x2c4/0x520
|  spi_sync+0x34/0x60
|  spidev_message+0x20c/0x378 [spidev]
|  spidev_ioctl+0x398/0x750 [spidev]
[...]

Switch from devm_spi_register_controller() to spi_register_controller() in
fsl_lpspi_probe() and add the corresponding spi_unregister_controller() in
fsl_lpspi_remove().

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.8 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 3%

Affected Products (NVD)

Vendor	Product	Version
linux	linux_kernel	4.10.1 ≤ 𝑥 < 5.10.253
linux	linux_kernel	5.11 ≤ 𝑥 < 5.15.203
linux	linux_kernel	5.16 ≤ 𝑥 < 6.1.168
linux	linux_kernel	6.2 ≤ 𝑥 < 6.6.131
linux	linux_kernel	6.7 ≤ 𝑥 < 6.12.80
linux	linux_kernel	6.13 ≤ 𝑥 < 6.18.21
linux	linux_kernel	6.19 ≤ 𝑥 < 6.19.11
linux	linux_kernel	4.10
linux	linux_kernel	7.0:rc1
linux	linux_kernel	7.0:rc2
linux	linux_kernel	7.0:rc3
linux	linux_kernel	7.0:rc4
linux	linux_kernel	7.0:rc5
linux	linux_kernel	7.0:rc6
linux	linux_kernel	7.0:rc7

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bookworm	6.1.170-3 fixed
bookworm (security)	6.1.174-1 fixed
bullseye	vulnerable
bullseye (security)	5.10.257-1 fixed
forky	7.0.10-1 fixed
sid	7.0.10-1 fixed
trixie	6.12.86-1 fixed
trixie (security)	6.12.90-2 fixed

linux-6.1

bullseye (security)

6.1.174-1~deb11u1

fixed

Common Weakness Enumeration

CWE-416 - Use After Free
Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

Vulnerability Media Exposure

[GERMAN] Linux Kernel: Mehrere Schwachstellen
Ein Angreifer kann mehrere Schwachstellen im Linux Kernel ausnutzen, um einen Denial of Service Angriff durchzuführen, Sicherheitsmaßnahmen zu umgehen, Informationen offenzulegen, andere nicht näher spezifizierte Auswirkungen zu verursachen und möglicherweise Code auszuführen.
Published: 2026-04-22T22:00:00+00:00

References

https://git.kernel.org/stable/c/15650dfbaeeb14bcaaf053b93cf631db8d465300

https://git.kernel.org/stable/c/adb25339b66112393fd6892ceff926765feb5b86

https://git.kernel.org/stable/c/b341c1176f2e001b3adf0b47154fc31589f7410e

https://git.kernel.org/stable/c/ca4483f36ac1b62e69f8b182c5b8f059e0abecfb

https://git.kernel.org/stable/c/d5d01f24bc6fbde40b4e567ef9160194b61267bc

https://git.kernel.org/stable/c/e3fd54f8b0317fbccc103961ddd660f2a32dcf0b

https://git.kernel.org/stable/c/e89e2b97253c124d37bf88e96e5e8ce5c3aeeec3

https://git.kernel.org/stable/c/fbe6f40caeebb0b1ea9dfedc259124c1d3cda7a6