CVE-2026-23207
Unknown Unknown - Not Provided
Race Condition in Linux Tegra210 QSPI Causes NULL Pointer Dereference

Publication date: 2026-02-14

Last updated on: 2026-04-02

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: spi: tegra210-quad: Protect curr_xfer check in IRQ handler Now that all other accesses to curr_xfer are done under the lock, protect the curr_xfer NULL check in tegra_qspi_isr_thread() with the spinlock. Without this protection, the following race can occur: CPU0 (ISR thread) CPU1 (timeout path) ---------------- ------------------- if (!tqspi->curr_xfer) // sees non-NULL spin_lock() tqspi->curr_xfer = NULL spin_unlock() handle_*_xfer() spin_lock() t = tqspi->curr_xfer // NULL! ... t->len ... // NULL dereference! With this patch, all curr_xfer accesses are now properly synchronized. Although all accesses to curr_xfer are done under the lock, in tegra_qspi_isr_thread() it checks for NULL, releases the lock and reacquires it later in handle_cpu_based_xfer()/handle_dma_based_xfer(). There is a potential for an update in between, which could cause a NULL pointer dereference. To handle this, add a NULL check inside the handlers after acquiring the lock. This ensures that if the timeout path has already cleared curr_xfer, the handler will safely return without dereferencing the NULL pointer.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-14
Last Modified
2026-04-02
Generated
2026-06-16
AI Q&A
2026-02-14
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23207
EUVD
EUVD-2026-5838
Affected Vendors & Products
Showing 14 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel From 6.17.13 (inc) to 6.18 (exc)
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel From 6.18.2 (inc) to 6.18.10 (exc)
linux linux_kernel From 5.15.198 (inc) to 5.16 (exc)
linux linux_kernel From 6.1.160 (inc) to 6.2 (exc)
linux linux_kernel From 6.12.63 (inc) to 6.13 (exc)
linux linux_kernel From 6.6.120 (inc) to 6.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
CWE-362 The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's tegra210-quad SPI driver, specifically in the handling of the curr_xfer variable within an interrupt request (IRQ) handler.

The issue arises because curr_xfer is accessed without proper synchronization in the tegra_qspi_isr_thread() function. While other accesses to curr_xfer are protected by a spinlock, this function checks curr_xfer for NULL without holding the lock, then releases and reacquires the lock later. This creates a race condition where curr_xfer could be set to NULL by another CPU thread between these operations.

As a result, the handler might dereference a NULL pointer, leading to a potential kernel crash or undefined behavior.

The fix involves protecting the NULL check of curr_xfer with the spinlock and adding an additional NULL check inside the handlers after acquiring the lock to prevent dereferencing NULL pointers.

Impact Analysis

This vulnerability can cause a NULL pointer dereference in the Linux kernel's SPI driver, which may lead to a kernel crash or system instability.

Such crashes can result in denial of service (DoS) conditions, potentially disrupting normal operation of devices using the affected driver.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

The vulnerability is caused by a race condition in the Linux kernel's tegra210-quad SPI driver related to unsynchronized access to the curr_xfer pointer.

To mitigate this vulnerability, ensure that your Linux kernel includes the patch that protects all accesses to curr_xfer with the appropriate spinlock, especially adding a NULL check inside the handlers after acquiring the lock.

If you are using the affected NVIDIA tegra210-quad hardware, update your kernel to a version that contains this fix to prevent NULL pointer dereference due to the race condition.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23207. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart