Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local-only UAF whose trigger (driver unbind via sysfs) requires root/CAP_SYS_ADMIN, so PR:H rather than PR:L; kernel memory corruption gives High C/I/A.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
spi: topcliff-pch: fix use-after-free on unbind
Give the driver a chance to flush its queue before releasing the DMA buffers on driver unbind
AnalysisAI
Local privilege escalation and memory corruption in the Linux kernel's topcliff-pch (pch_spi) SPI master driver arises from a use-after-free triggered when the driver is unbound, because DMA buffers are released before the driver's transfer queue is flushed. An attacker with the ability to unbind the device can cause the freed DMA buffers to be accessed by in-flight SPI transfers, yielding CWE-416 memory corruption with high confidentiality, integrity, and availability impact (CVSS 7.8). There is no public exploit identified at time of analysis, and the EPSS probability is negligible (0.02%), consistent with an obscure, hardware-specific driver rather than a broadly exploitable flaw.
Technical ContextAI
The affected component is the spi-topcliff-pch driver, which supports the SPI controller found in the Intel EG20T Platform Controller Hub (and OKI/ROHM ML7213/ML7223/ML7831 IOH) - legacy embedded chipsets. The bug is a use-after-free (CWE-416): on driver unbind the DMA buffers used to stage SPI transfers were freed before the driver flushed its pending message queue, so an outstanding transfer could dereference memory that had already been released back to the allocator. The fix reorders teardown to flush the queue before releasing the DMA buffers. Because DMA buffers and SPI transfer descriptors live in kernel heap/coherent memory, a freed-then-reused allocation can corrupt adjacent kernel objects, which is why the CVSS impact is High across C/I/A. Affected code is common to the mainline tree (CPE cpe:2.3:a:linux:linux:*), but only reachable when this specific driver is built and bound to matching hardware.
RemediationAI
Vendor-released patch: update to a fixed stable kernel - 5.10.258, 5.15.209, 6.1.175, 6.6.140, 6.12.88, 7.0.7, or 6.18.30 (or later on each branch), or mainline 7.1-rc1, applying the branch that matches your deployment; distro users should install the corresponding patched kernel package from their vendor. The fix commits are available at git.kernel.org (see the stable hashes above) for backporting if you maintain a custom kernel. As a compensating control where immediate patching is not possible, restrict who can unbind drivers by ensuring only root/privileged users can write to the driver's sysfs bind/unbind interface (default on hardened systems) and avoid automated hotplug/unbind flows for this device; on systems that do not use Intel EG20T/OKI ML7213 SPI hardware, blacklist the module (blacklist spi-topcliff-pch / prevent pch_spi from loading), which removes the attack surface entirely with no functional trade-off since the driver only serves that legacy controller.
Same weakness CWE-416 – Use After Free
View allSame technique Memory Corruption
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35166
GHSA-fg92-r9x5-ch82