Skip to main content

Linux Kernel CVE-2026-43460

| EUVDEUVD-2026-28766 HIGH
Double Free (CWE-415)
2026-05-08 Linux GHSA-4xqj-6g2r-4ggr
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 20, 2026 - 18:52 vuln.today
CVSS changed
May 20, 2026 - 18:52 NVD
7.8 (HIGH)
Patch available
May 08, 2026 - 16:18 EUVD
CVE Published
May 08, 2026 - 14:22 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

spi: rockchip-sfc: Fix double-free in remove() callback

The driver uses devm_spi_register_controller() for registration, which automatically unregisters the controller via devm cleanup when the device is removed. The manual call to spi_unregister_controller() in the remove() callback can lead to a double-free.

And to make sure controller is unregistered before DMA buffer is unmapped, switch to use spi_register_controller() in probe().

AnalysisAI

Local privilege escalation potential in the Linux kernel's Rockchip Serial Flash Controller (SFC) SPI driver arises from a double-free in the remove() callback path, where the driver calls spi_unregister_controller() manually despite already using the devm-managed registration helper. The flaw affects systems using the rockchip-sfc driver and is not currently in CISA KEV, with no public exploit identified at time of analysis and a very low EPSS score (0.02%, 4th percentile), but CVSS 7.8 reflects high local impact if triggered.

Technical ContextAI

The bug lives in drivers/spi/spi-rockchip-sfc.c, the kernel driver for the Rockchip Serial Flash Controller used on Rockchip SoCs for accessing SPI NOR/NAND flash. The driver registered its SPI controller with devm_spi_register_controller(), which ties unregistration to the device-managed (devres) teardown chain - meaning unregistration happens automatically when the device goes away. Calling spi_unregister_controller() again in the explicit .remove() callback frees the same controller object twice, matching CWE-415 (Double Free) and corrupting kernel heap allocator state. The fix switches probe to the non-devm spi_register_controller(), restoring matched manual register/unregister semantics and also ordering unregistration before DMA buffer unmapping.

RemediationAI

Vendor-released patch: Linux 6.18.19, 6.19.9, and 7.0 - upgrade to one of these stable kernels or any later release that includes the rockchip-sfc remove() double-free fix. Distribution users should pull the next kernel update from their vendor (e.g., Debian, Ubuntu, RHEL, Fedora, Android/AOSP for Rockchip devices). If immediate patching is not feasible, the practical compensating control is to avoid loading or to blacklist the rockchip-sfc module (echo 'blacklist spi-rockchip-sfc' into /etc/modprobe.d/), which prevents the vulnerable remove() path from ever running but disables SPI flash access on affected Rockchip hardware - likely breaking boot or storage on devices that rely on this controller. Restricting CAP_SYS_MODULE and physical/console access also reduces the population of users who can trigger driver unbind or module unload. Upstream fix commits are at https://git.kernel.org/stable/c/b6051f2bdd4bd3dde85b68558edd3a6843489221, https://git.kernel.org/stable/c/85fb53351e6a3b921357a2178671e847a087e400, and https://git.kernel.org/stable/c/111e2863372c322e836e0c896f6dd9cf4ee08c71.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43460 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy