CVE-2026-23202
Unknown Unknown - Not Provided
Race Condition in Linux Tegra210 QSPI Causes Use-After-Free

Publication date: 2026-02-14

Last updated on: 2026-03-19

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: spi: tegra210-quad: Protect curr_xfer in tegra_qspi_combined_seq_xfer The curr_xfer field is read by the IRQ handler without holding the lock to check if a transfer is in progress. When clearing curr_xfer in the combined sequence transfer loop, protect it with the spinlock to prevent a race with the interrupt handler. Protect the curr_xfer clearing at the exit path of tegra_qspi_combined_seq_xfer() with the spinlock to prevent a race with the interrupt handler that reads this field. Without this protection, the IRQ handler could read a partially updated curr_xfer value, leading to NULL pointer dereference or use-after-free.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-14
Last Modified
2026-03-19
Generated
2026-06-16
AI Q&A
2026-02-14
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23202
EUVD
EUVD-2026-5842
Affected Vendors & Products
Showing 14 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel From 6.17.13 (inc) to 6.18 (exc)
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel From 6.12.63 (inc) to 6.12.70 (exc)
linux linux_kernel From 6.18.2 (inc) to 6.18.10 (exc)
linux linux_kernel From 6.6.120 (inc) to 6.6.124 (exc)
linux linux_kernel From 5.15.198 (inc) to 5.15.200 (exc)
linux linux_kernel From 6.1.160 (inc) to 6.1.163 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's spi driver for the tegra210-quad device. The issue arises because the curr_xfer field is accessed by an interrupt handler (IRQ handler) without proper locking, which means it can be read while being updated concurrently. Specifically, the curr_xfer field is used to check if a transfer is in progress, but it is cleared in the combined sequence transfer loop without holding a spinlock. This lack of synchronization can cause a race condition between the IRQ handler and the transfer loop.

If the IRQ handler reads a partially updated curr_xfer value due to this race, it can lead to a NULL pointer dereference or use-after-free error, potentially causing system instability or crashes.

Impact Analysis

This vulnerability can impact you by causing system instability or crashes due to NULL pointer dereference or use-after-free conditions triggered by the race condition in the kernel's SPI driver. Such crashes could lead to denial of service or unexpected behavior in systems using the affected tegra210-quad SPI driver.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, update the Linux kernel to a version where the issue in the tegra210-quad SPI driver has been fixed. This fix involves protecting the curr_xfer field with a spinlock in the tegra_qspi_combined_seq_xfer function to prevent race conditions that could lead to NULL pointer dereference or use-after-free.

Ensure that your system is running the patched kernel version released after 2026-02-14, which includes this fix.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23202. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart