Skip to main content

Linux Kernel CVE-2026-31485

| EUVDEUVD-2026-24849 HIGH
Use After Free (CWE-416)
2026-04-22 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-355q-5chg-4qpr
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Generated
Apr 28, 2026 - 13:23 vuln.today
CVSS changed
Apr 28, 2026 - 13:22 NVD
7.8 (HIGH)
Patch released
Apr 28, 2026 - 13:12 nvd
Patch available
Patch available
Apr 22, 2026 - 16:33 EUVD
EUVD ID Assigned
Apr 22, 2026 - 14:22 euvd
EUVD-2026-24849
Analysis Generated
Apr 22, 2026 - 14:22 vuln.today
CVE Published
Apr 22, 2026 - 14:16 nvd
HIGH 7.8

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

spi: spi-fsl-lpspi: fix teardown order issue (UAF)

There is a teardown order issue in the driver. The SPI controller is registered using devm_spi_register_controller(), which delays unregistration of the SPI controller until after the fsl_lpspi_remove() function returns.

As the fsl_lpspi_remove() function synchronously tears down the DMA channels, a running SPI transfer triggers the following NULL pointer dereference due to use after free:

| fsl_lpspi 42550000.spi: I/O Error in DMA RX | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [...]

| Call trace: | fsl_lpspi_dma_transfer+0x260/0x340 [spi_fsl_lpspi] | fsl_lpspi_transfer_one+0x198/0x448 [spi_fsl_lpspi] | spi_transfer_one_message+0x49c/0x7c8 | __spi_pump_transfer_message+0x120/0x420 | __spi_sync+0x2c4/0x520 | spi_sync+0x34/0x60 | spidev_message+0x20c/0x378 [spidev] | spidev_ioctl+0x398/0x750 [spidev] [...]

Switch from devm_spi_register_controller() to spi_register_controller() in fsl_lpspi_probe() and add the corresponding spi_unregister_controller() in fsl_lpspi_remove().

AnalysisAI

Use-after-free in Linux kernel SPI subsystem (fsl_lpspi driver) causes NULL pointer dereference when DMA channels are torn down while SPI transfers are active. Local attackers with low privileges can trigger denial of service or potentially execute arbitrary code on affected systems running Linux kernel versions from 4.10 through 7.0-rc2, particularly impacting embedded and IoT devices using Freescale LPSPI controllers. EPSS score of 0.02% indicates very low observed exploitation probability, and no public exploit code or active exploitation has been identified at time of analysis. Vendor-released patches available across all affected stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, 7.0).

Technical ContextAI

This vulnerability affects the fsl_lpspi SPI controller driver in the Linux kernel, specifically the Direct Memory Access (DMA) teardown logic. The root cause is CWE-416 (Use After Free) stemming from incorrect resource lifecycle management. The driver uses devm_spi_register_controller() for device-managed registration, which defers SPI controller unregistration until after the driver's remove() function completes. However, fsl_lpspi_remove() synchronously releases DMA channels before the controller is unregistered, creating a race condition. If an SPI transfer is in progress during module removal (via spidev IOCTL or other kernel SPI operations), the DMA callback references freed memory, triggering a NULL pointer dereference in fsl_lpspi_dma_transfer(). The vulnerability exists in kernel versions from 4.10 (when the driver was introduced via commit 5314987de5e5) through 7.0-rc2, affecting ARM-based embedded systems using NXP/Freescale Low Power SPI peripherals common in automotive, industrial, and IoT applications.

RemediationAI

Upgrade to patched Linux kernel versions: 5.10.253+ for 5.10.x LTS branch, 5.15.203+ for 5.15.x LTS, 6.1.168+ for 6.1.x LTS, 6.6.131+ for 6.6.x stable, 6.12.80+ for 6.12.x, 6.18.21+ for 6.18.x, 6.19.11+ for 6.19.x, or 7.0 final release for mainline. Patches available at https://git.kernel.org/stable/c/b341c1176f2e001b3adf0b47154fc31589f7410e (mainline fix) and branch-specific commits referenced in NVD links. The fix replaces devm_spi_register_controller() with explicit spi_register_controller()/spi_unregister_controller() calls to ensure proper teardown ordering. For systems unable to upgrade immediately, implement compensating controls: restrict module unload permissions (disable non-root rmmod via kernel.modules_disabled sysctl), minimize local user access to SPI device nodes (/dev/spidev*), and avoid SPI operations during system shutdown/reboot sequences. Note that blocking module unload may complicate system maintenance and debugging. Monitor kernel logs for 'I/O Error in DMA RX' messages from fsl_lpspi driver as potential exploitation indicators. Enterprise distributions (RHEL, Ubuntu, SUSE) will incorporate fixes into their kernel update streams - consult vendor security advisories for distribution-specific patch versions.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31485 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy