Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Local attack on embedded hardware requiring low-privilege sysfs access; no confidentiality or integrity impact, only kernel crash.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
spi: s3c64xx: fix NULL-deref on driver unbind
A change moving DMA channel allocation from probe() back to s3c64xx_spi_prepare_transfer() failed to remove the corresponding deallocation from remove().
Drop the bogus DMA channel release from remove() to avoid triggering a NULL-pointer dereference on driver unbind.
This issue was flagged by Sashiko when reviewing a controller deregistration fix.
AnalysisAI
NULL pointer dereference in the Linux kernel's s3c64xx SPI driver triggers a kernel crash on driver unbind, allowing a local low-privileged attacker to cause a denial of service. The flaw affects systems equipped with Samsung S3C64xx-series SoC hardware running unpatched kernel versions from 6.0 onward. No public exploit code exists and EPSS probability sits at 0.02%, but the crash is deterministic once the driver unbind sequence is triggered on vulnerable hardware. No active exploitation (CISA KEV) has been identified.
Technical ContextAI
The vulnerability resides in the s3c64xx SPI controller driver (drivers/spi/spi-s3c64xx.c), which targets Samsung's S3C64xx and early Exynos SoC family. A prior refactoring commit (f52b03c707444c5a3d1a0b9c5724f93ddc3c588e) moved DMA channel allocation from the driver's probe() function into s3c64xx_spi_prepare_transfer(), deferring it until a transfer is actually initiated. However, the corresponding DMA channel release call was not removed from remove(). When the driver is unbound without ever initiating a transfer, the DMA channel pointer is still NULL, and the remove() path dereferences it, triggering CWE-476 (NULL Pointer Dereference). CPE data confirms the affected component as cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:* across all kernel versions containing the offending commit, with fixes landing in stable branches 6.6.140, 6.12.88, 6.18.30, 7.0.7, and 7.1-rc1.
RemediationAI
The primary fix is to update to a patched Linux kernel version: 6.6.140 or later for the 6.6 stable series, 6.12.88 or later for the 6.12 series, 6.18.30 or later for the 6.18 series, or 7.0.7 or later for the 7.0 series. The fix removes the erroneous DMA channel deallocation from remove(), and is available in the upstream stable trees at the git.kernel.org references provided. Distribution kernels (Debian, Ubuntu, RHEL, etc.) will incorporate these fixes through their standard stable update channels. For systems where immediate kernel upgrade is not feasible, a practical workaround is to prevent driver unbind of the s3c64xx SPI controller by restricting access to sysfs bind/unbind interfaces (e.g., via udev rules or filesystem permissions on /sys/bus/platform/drivers/s3c64xx-spi/). Disabling module unloading (sysctl kernel.modules_disabled=1) also eliminates the unbind path but has broad side effects on system manageability. Neither workaround is recommended over patching.
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35162
GHSA-vvjj-6m9v-rg8g