Skip to main content

Linux Kernel CVE-2026-31487

| EUVDEUVD-2026-24853 MEDIUM
Improper Locking (CWE-667)
2026-04-22 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-vq56-9rjp-57fc
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Apr 28, 2026 - 13:07 vuln.today
CVSS changed
Apr 28, 2026 - 13:07 NVD
5.5 (MEDIUM)
EUVD ID Assigned
Apr 22, 2026 - 14:22 euvd
EUVD-2026-24853
Analysis Generated
Apr 22, 2026 - 14:22 vuln.today
CVE Published
Apr 22, 2026 - 14:16 nvd
MEDIUM 5.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

spi: use generic driver_override infrastructure

When a driver is probed through __driver_attach(), the bus' match() callback is called without the device lock held, thus accessing the driver_override field without a lock, which can cause a UAF.

Fix this by using the driver-core driver_override infrastructure taking care of proper locking internally.

Note that calling match() from __driver_attach() without the device lock held is intentional. [1]

Also note that we do not enable the driver_override feature of struct bus_type, as SPI - in contrast to most other buses - passes "" to sysfs_emit() when the driver_override pointer is NULL. Thus, printing "\n" instead of "(null)\n".

AnalysisAI

Use-after-free vulnerability in the Linux kernel SPI subsystem allows local authenticated attackers to cause denial of service by exploiting unsynchronized access to the driver_override field during device probe operations. The vulnerability occurs because __driver_attach() calls the bus match() callback without holding the device lock, creating a race condition when driver_override is accessed without proper synchronization. CVSS score of 5.5 reflects local attack vector with low complexity and high availability impact. EPSS exploitation probability is minimal at 0.02%, suggesting this is a localized memory safety issue rather than a widely-exploited attack vector.

Technical ContextAI

The Linux kernel SPI bus subsystem manages device-to-driver binding through a probe mechanism that invokes match() callbacks. The vulnerability exists in the driver_override field handling, which is part of the device driver binding infrastructure. CWE-667 identifies this as an improper locking issue - specifically, the field is accessed without the device lock during __driver_attach() probe path, which is an intentional design choice for performance but creates a window for use-after-free (UAF) conditions. The fix migrates SPI to use the kernel's generic driver_override infrastructure from struct bus_type, which implements proper locking semantics internally. The SPI bus has a non-standard behavior of passing empty string instead of null to sysfs_emit() when driver_override is NULL, requiring special handling to maintain backward compatibility.

RemediationAI

Apply the upstream kernel fix by updating to patched versions: Linux 6.18.21, 6.12.80, 6.19.11, or 7.0 final release. Administrators should prioritize patching systems with non-standard SPI hardware configurations. For systems unable to patch immediately, restrict local user access and shell accounts to trusted administrators only, as the vulnerability requires PR:L (low privilege authentication). Disable SPI driver probing via sysfs if the SPI subsystem is not actively used by applying device-tree or kernel command-line restrictions to unload unused SPI bus drivers. Monitor for UAF-related kernel warnings (KASAN, UBSAN if enabled) in kernel logs. Patches are available from Linux stable repositories at https://git.kernel.org/stable/c/ with the commit hashes listed above; verify the specific version number matches your kernel branch before applying.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31487 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy