Skip to main content

Linux Kernel EUVDEUVD-2026-28603

| CVE-2026-43319 MEDIUM
Improper Locking (CWE-667)
2026-05-08 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-p22q-5w3q-wqpq
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 15, 2026 - 20:30 vuln.today
CVSS changed
May 15, 2026 - 18:22 NVD
5.5 (MEDIUM)
Patch available
May 08, 2026 - 15:02 EUVD
CVE Published
May 08, 2026 - 14:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

spi: spidev: fix lock inversion between spi_lock and buf_lock

The spidev driver previously used two mutexes, spi_lock and buf_lock, but acquired them in different orders depending on the code path:

write()/read(): buf_lock -> spi_lock ioctl(): spi_lock -> buf_lock

This AB-BA locking pattern triggers lockdep warnings and can cause real deadlocks:

WARNING: possible circular locking dependency detected spidev_ioctl() -> mutex_lock(&spidev->buf_lock) spidev_sync_write() -> mutex_lock(&spidev->spi_lock) * DEADLOCK *

The issue is reproducible with a simple userspace program that performs write() and SPI_IOC_WR_MAX_SPEED_HZ ioctl() calls from separate threads on the same spidev file descriptor.

Fix this by simplifying the locking model and removing the lock inversion entirely. spidev_sync() no longer performs any locking, and all callers serialize access using spi_lock.

buf_lock is removed since its functionality is fully covered by spi_lock, eliminating the possibility of lock ordering issues.

This removes the lock inversion and prevents deadlocks without changing userspace ABI or behaviour.

AnalysisAI

Local denial-of-service deadlock in Linux kernel spidev driver allows authenticated users with low privileges to freeze the SPI subsystem via concurrent write() and ioctl() calls. The AB-BA lock inversion between spi_lock and buf_lock is reproducible with simple multithreaded userspace programs accessing the same spidev file descriptor. Patch available across stable kernel branches (6.12.75, 6.18.16, 6.19.6, 7.0) with extremely low EPSS score (0.02%, 5th percentile) indicating minimal real-world exploitation likelihood. No active exploitation or public POC identified at time of analysis.

Technical ContextAI

The vulnerability resides in the spidev driver within the Linux kernel's SPI (Serial Peripheral Interface) subsystem. Spidev provides a userspace interface to SPI devices through character device nodes (/dev/spidevX.Y). The flaw is a classic AB-BA lock inversion pattern (CWE-667: Improper Locking) where two mutexes-spi_lock and buf_lock-are acquired in opposite orders across different code paths. The write()/read() syscalls acquire buf_lock followed by spi_lock, while ioctl() operations (specifically SPI_IOC_WR_MAX_SPEED_HZ and similar commands) acquire spi_lock followed by buf_lock. This creates a circular dependency that lockdep detects and can manifest as a real deadlock under concurrent access. The CPE data indicates the vulnerability affects Linux kernel versions from the initial git commit (1da177e4c3f4) through kernel 7.0 release candidates, with backported fixes available for long-term support branches 6.12.x, 6.18.x, and 6.19.x. The fix simplifies the locking model by removing buf_lock entirely and consolidating all synchronization under spi_lock, eliminating the lock ordering problem while maintaining userspace ABI compatibility.

RemediationAI

Upgrade to patched Linux kernel versions: 6.12.75 or later for 6.12.x branch, 6.18.16 or later for 6.18.x branch, 6.19.6 or later for 6.19.x branch, or 7.0 stable release for mainline deployments. Patch commits are available from kernel.org stable tree (links: https://git.kernel.org/stable/c/e341e18215030af2136836b78508e0d798916df7, https://git.kernel.org/stable/c/f8431b8672231d378b03176fe74c95adfd3522cf, https://git.kernel.org/stable/c/40534d19ed2afb880ecf202dab26a8e7a5808d16, https://git.kernel.org/stable/c/41ccfac7d302968a4f32b5f7b012d066c5f5cdf8). For systems where immediate kernel upgrade is not feasible, implement compensating controls: restrict access to /dev/spidev* device nodes to only essential system services via udev rules (limiting group membership reduces attack surface but does not eliminate risk from already-privileged processes); audit and refactor applications accessing SPI devices to use single-threaded access patterns or application-level locking around spidev file descriptor operations (introduces application complexity and potential performance impact); or disable spidev module entirely if userspace SPI access is not required (breaks functionality for applications depending on spidev interface). Note that restricting device node permissions only reduces exposure-it does not prevent exploitation by already-authorized processes, so patching remains the definitive mitigation.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-28603 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy