Skip to main content

Linux Kernel EUVDEUVD-2025-209748

| CVE-2025-71299 MEDIUM
2026-05-08 Linux GHSA-wcrj-2m2g-27wm
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 14, 2026 - 21:31 vuln.today
CVSS changed
May 14, 2026 - 19:22 NVD
5.5 (MEDIUM)
Patch available
May 08, 2026 - 14:02 EUVD
CVE Published
May 08, 2026 - 13:11 nvd
MEDIUM 5.5
CVE Published
May 08, 2026 - 13:11 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

spi: cadence-quadspi: Parse DT for flashes with the rest of the DT parsing

The recent refactoring of where runtime PM is enabled done in commit f1eb4e792bb1 ("spi: spi-cadence-quadspi: Enable pm runtime earlier to avoid imbalance") made the fact that when we do a pm_runtime_disable() in the error paths of probe() we can trigger a runtime disable which in turn results in duplicate clock disables. This is particularly likely to happen when there is missing or broken DT description for the flashes attached to the controller.

Early on in the probe function we do a pm_runtime_get_noresume() since the probe function leaves the device in a powered up state but in the error path we can't assume that PM is enabled so we also manually disable everything, including clocks. This means that when runtime PM is active both it and the probe function release the same reference to the main clock for the IP, triggering warnings from the clock subsystem:

[ 8.693719] clk:75:7 already disabled [ 8.693791] WARNING: CPU: 1 PID: 185 at /usr/src/kernel/drivers/clk/clk.c:1188 clk_core_disable+0xa0/0xb ... [ 8.694261] clk_core_disable+0xa0/0xb4 (P) [ 8.694272] clk_disable+0x38/0x60 [ 8.694283] cqspi_probe+0x7c8/0xc5c [spi_cadence_quadspi] [ 8.694309] platform_probe+0x5c/0xa4

Dealing with this issue properly is complicated by the fact that we don't know if runtime PM is active so can't tell if it will disable the clocks or not. We can, however, sidestep the issue for the flash descriptions by moving their parsing to when we parse the controller properties which also save us doing a bunch of setup which can never be used so let's do that.

AnalysisAI

A denial of service vulnerability in the Linux kernel's Cadence QSPI driver causes duplicate clock disables during device probe error handling when flash device tree descriptions are missing or malformed. An unprivileged local user can trigger this vulnerability by providing broken device tree configuration for attached SPI flash devices, resulting in kernel warnings and potential system instability.

Technical ContextAI

The vulnerability exists in the spi-cadence-quadspi driver's probe function, which manages runtime power management (PM) and clock control for Cadence QSPI controllers. The issue stems from a refactoring that enabled PM runtime earlier in the probe sequence (commit f1eb4e792bb1). When probe encounters missing or malformed device tree (DT) descriptions for attached flash devices, the error path attempts to disable clocks both through the PM subsystem and manually, creating duplicate disable operations. The clock subsystem interprets these as errors and generates warnings. The root cause is conflicting responsibility for clock management between the PM framework and explicit driver code during error recovery.

RemediationAI

Upgrade to patched Linux kernel versions: 6.18.16, 6.19.6, or 7.0 stable releases, or apply the corresponding upstream commits (08dca4c8, 9f0736a4, or dcaa104ad as detailed in references). The fix resolves the duplicate clock disable issue by moving flash device tree parsing to the controller property parsing phase, eliminating unnecessary setup for unused flash configurations and preventing conflicting PM/manual clock disable operations. For systems unable to upgrade immediately, restrict unprivileged user access to device tree modifications and avoid loading SPI QSPI drivers on systems accepting user-supplied DT configurations without validation. Note that the vulnerability requires local access and malformed DT configuration to trigger, so standard deployments with validated bootloader-provided DT data face minimal practical risk.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2025-209748 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy