CVE-2025-68746
Unknown Unknown - Not Provided
Use-After-Free in Linux Tegra210 QSPI Timeout Handling

Publication date: 2025-12-24

Last updated on: 2025-12-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: spi: tegra210-quad: Fix timeout handling When the CPU that the QSPI interrupt handler runs on (typically CPU 0) is excessively busy, it can lead to rare cases of the IRQ thread not running before the transfer timeout is reached. While handling the timeouts, any pending transfers are cleaned up and the message that they correspond to is marked as failed, which leaves the curr_xfer field pointing at stale memory. To avoid this, clear curr_xfer to NULL upon timeout and check for this condition when the IRQ thread is finally run. While at it, also make sure to clear interrupts on failure so that new interrupts can be run. A better, more involved, fix would move the interrupt clearing into a hard IRQ handler. Ideally we would also want to signal that the IRQ thread no longer needs to be run after the timeout is hit to avoid the extra check for a valid transfer.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-24
Last Modified
2025-12-24
Generated
2026-05-06
AI Q&A
2025-12-24
EPSS Evaluated
2026-05-05
NVD
CVE-2025-68746
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability occurs in the Linux kernel's tegra210-quad SPI driver. When the CPU running the QSPI interrupt handler is very busy, the IRQ thread may not run before a transfer timeout occurs. During timeout handling, pending transfers are cleaned up and marked as failed, but the curr_xfer field still points to stale memory. This can cause issues because the system may reference invalid data. The fix involves clearing curr_xfer to NULL upon timeout and checking this condition when the IRQ thread runs, as well as clearing interrupts on failure to allow new interrupts to be processed.


How can this vulnerability impact me? :

This vulnerability can lead to the system referencing stale memory after a transfer timeout, which may cause instability or unexpected behavior in the SPI communication on affected devices. It could result in failed data transfers or system errors related to the SPI interface, especially under high CPU load conditions.


What immediate steps should I take to mitigate this vulnerability?

Apply the patch or update to the fixed version of the Linux kernel that addresses the spi: tegra210-quad timeout handling issue. This fix clears the curr_xfer field upon timeout and ensures interrupts are cleared on failure to prevent stale memory references and allow new interrupts to run properly.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart