Skip to main content

Linux Kernel CVE-2026-46301

| EUVDEUVD-2026-35166 HIGH
Use After Free (CWE-416)
2026-06-08 Linux GHSA-fg92-r9x5-ch82
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
6.7 MEDIUM

Local-only UAF whose trigger (driver unbind via sysfs) requires root/CAP_SYS_ADMIN, so PR:H rather than PR:L; kernel memory corruption gives High C/I/A.

3.1 AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 08, 2026 - 14:53 vuln.today
CVSS changed
Jul 08, 2026 - 14:52 NVD
7.8 (HIGH)
Patch available
Jun 08, 2026 - 18:01 EUVD
CVE Published
Jun 08, 2026 - 15:46 nvd
HIGH 7.8
CVE Published
Jun 08, 2026 - 15:46 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

spi: topcliff-pch: fix use-after-free on unbind

Give the driver a chance to flush its queue before releasing the DMA buffers on driver unbind

AnalysisAI

Local privilege escalation and memory corruption in the Linux kernel's topcliff-pch (pch_spi) SPI master driver arises from a use-after-free triggered when the driver is unbound, because DMA buffers are released before the driver's transfer queue is flushed. An attacker with the ability to unbind the device can cause the freed DMA buffers to be accessed by in-flight SPI transfers, yielding CWE-416 memory corruption with high confidentiality, integrity, and availability impact (CVSS 7.8). There is no public exploit identified at time of analysis, and the EPSS probability is negligible (0.02%), consistent with an obscure, hardware-specific driver rather than a broadly exploitable flaw.

Technical ContextAI

The affected component is the spi-topcliff-pch driver, which supports the SPI controller found in the Intel EG20T Platform Controller Hub (and OKI/ROHM ML7213/ML7223/ML7831 IOH) - legacy embedded chipsets. The bug is a use-after-free (CWE-416): on driver unbind the DMA buffers used to stage SPI transfers were freed before the driver flushed its pending message queue, so an outstanding transfer could dereference memory that had already been released back to the allocator. The fix reorders teardown to flush the queue before releasing the DMA buffers. Because DMA buffers and SPI transfer descriptors live in kernel heap/coherent memory, a freed-then-reused allocation can corrupt adjacent kernel objects, which is why the CVSS impact is High across C/I/A. Affected code is common to the mainline tree (CPE cpe:2.3:a:linux:linux:*), but only reachable when this specific driver is built and bound to matching hardware.

RemediationAI

Vendor-released patch: update to a fixed stable kernel - 5.10.258, 5.15.209, 6.1.175, 6.6.140, 6.12.88, 7.0.7, or 6.18.30 (or later on each branch), or mainline 7.1-rc1, applying the branch that matches your deployment; distro users should install the corresponding patched kernel package from their vendor. The fix commits are available at git.kernel.org (see the stable hashes above) for backporting if you maintain a custom kernel. As a compensating control where immediate patching is not possible, restrict who can unbind drivers by ensuring only root/privileged users can write to the driver's sysfs bind/unbind interface (default on hardened systems) and avoid automated hotplug/unbind flows for this device; on systems that do not use Intel EG20T/OKI ML7213 SPI hardware, blacklist the module (blacklist spi-topcliff-pch / prevent pch_spi from loading), which removes the attack surface entirely with no functional trade-off since the driver only serves that legacy controller.

Share

CVE-2026-46301 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy