Skip to main content

Linux Kernel EUVDEUVD-2026-32846

| CVE-2026-46219 HIGH
Use After Free (CWE-416)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-993q-fvmm-5hv9
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
7.0 HIGH
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 10, 2026 - 18:53 vuln.today
CVSS changed
Jun 10, 2026 - 18:52 NVD
7.8 (HIGH)
Patch available
May 28, 2026 - 12:01 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
HIGH 7.8
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

spi: mpc52xx: fix use-after-free on unbind

The state machine work is scheduled by the interrupt handler and therefore needs to be cancelled after disabling interrupts to avoid a potential use-after-free.

AnalysisAI

Use-after-free in the Linux kernel's MPC52xx SPI driver (spi-mpc52xx) can be triggered when the driver is unbound, because the interrupt-scheduled state machine work is not cancelled after interrupts are disabled. Local users with the ability to unbind the driver could potentially corrupt kernel memory, with confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.02%.

Technical ContextAI

The bug lives in drivers/spi/spi-mpc52xx.c, the Linux kernel SPI controller driver for Freescale/NXP MPC52xx PowerPC SoCs. The driver uses an interrupt handler that schedules a deferred work item (a state-machine workqueue task) to advance SPI transfers. On driver unbind, the teardown ordering was incorrect: pending work could still be queued or executing after the backing data structures were freed, which is the classic CWE-416 use-after-free pattern. The fix reorders teardown so interrupts are masked first and then the work item is cancelled (cancel_work_sync) before resources are released, eliminating the race between the IRQ-scheduled worker and the freeing path. CPE data confirms the affected component is the Linux kernel itself (cpe:2.3:o:linux:linux_kernel), with fixes flowing through multiple stable branches.

RemediationAI

Vendor-released patch: update to a fixed Linux stable release - per EUVD this includes 5.4.287, 5.10.231, 5.15.174, 6.1.120, 6.6.140, 6.12.90, 6.18.32, 7.0.9, and 7.1-rc1 or later, depending on the branch in use. The fix is the upstream commits referenced at git.kernel.org/stable (notably 6c3e413919a1, 706b3dc2ac7a, bb6b50f709c5, bbcd6dd8e9f2, ee52da0dd83e), which add a cancel_work_sync after disabling interrupts in the spi-mpc52xx unbind path. Distribution users should pull the corresponding vendor kernel update (RHEL/Ubuntu/SUSE/Debian errata). If patching must be deferred on affected PowerPC MPC52xx systems, the practical compensating control is to avoid unbinding the spi-mpc52xx driver at runtime (do not write to /sys/bus/platform/drivers/mpc52xx-psc-spi/unbind or rmmod the module) and restrict root/CAP_SYS_ADMIN access that would permit such an operation; on systems that never need this driver, blacklisting the module entirely (modprobe blacklist) removes the attack surface at the cost of losing SPI functionality on that hardware.

Vendor StatusVendor

SUSE

Severity: Important
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected

Share

EUVD-2026-32846 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy