Skip to main content

Linux Kernel CVE-2026-45996

| EUVDEUVD-2026-32292 HIGH
Use After Free (CWE-416)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-3wqv-wjx5-m93q
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
6.4 MEDIUM

Local-only kernel UAF requiring driver unbind (root/CAP_SYS_ADMIN, so PR:H) and a timing race on free-then-reuse (AC:H); successful exploitation yields full kernel CIA impact.

3.1 AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
SUSE
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 16, 2026 - 13:55 vuln.today
CVSS changed
Jun 16, 2026 - 13:52 NVD
7.8 (HIGH)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
HIGH 7.8
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

spi: imx: fix use-after-free on unbind

The SPI subsystem frees the controller and any subsystem allocated driver data as part of deregistration (unless the allocation is device managed).

Take another reference before deregistering the controller so that the driver data is not freed until the driver is done with it.

AnalysisAI

Use-after-free in the Linux kernel's i.MX SPI driver (spi-imx) can be triggered when the driver is unbound, allowing a local privileged user to corrupt kernel memory and potentially escalate to full kernel code execution. EPSS is very low (0.02%) and no public exploit identified at time of analysis, but a kernel-level UAF with high CIA impact warrants prompt patching on affected i.MX-based systems.

Technical ContextAI

The flaw lives in drivers/spi/spi-imx.c, the Linux SPI master driver for NXP/Freescale i.MX SoCs. The SPI core framework frees the spi_controller structure (and any non-devm driver data hanging off it) during spi_unregister_controller() on driver unbind. The imx driver continued to dereference that data after deregistration, producing a classic CWE-416 use-after-free; the fix takes an additional reference (spi_controller_get) before unregistering so the structure stays valid until the driver's remove path is complete. Per CPE data, all listed entries reference cpe:2.3:o:linux:linux_kernel and the EUVD record names the regression range starting from commit 307c897db762 (introduced around 5.19) with fixes back-ported across 6.6.140, 6.12.86, 6.18.27, 7.0.4 and the 7.1-rc1 mainline.

RemediationAI

Vendor-released patch: upgrade to Linux 6.6.140, 6.12.86, 6.18.27, 7.0.4, 7.1-rc1, or any later release on each respective stable branch, applying the upstream stable commits referenced at https://git.kernel.org/stable/c/132e47030b0b5e398e0da6c59df5a5dae9b52cff, /1c78c2002380a1fe31bfb01a3d5f29809e55a096, /385a330083f8dd47c15b02e9a83aef9234a37003, /aa9025a498036b6012769f7af36d421385386c17, and /f99165ef067723221472ce1aff632bc74f562643. For distribution kernels, pull the corresponding vendor backport (Debian/Ubuntu/RHEL/SUSE/Yocto BSP) once published. As an interim compensating control on i.MX devices that cannot be patched immediately, restrict access to /sys/bus/platform/drivers/spi_imx/unbind and module-unload capabilities to root only (already the default), avoid running spi-imx as a loadable module on multi-tenant systems, or blacklist the driver via modprobe.d if the SPI bus is unused - accepting the trade-off that SPI peripherals (touchscreens, sensors, NOR flash) will then be unavailable.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected

Share

CVE-2026-45996 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy