CVE-2026-23475
NULL Pointer Dereference in Linux Kernel SPI Controller Statistics
Publication date: 2026-04-03
Last updated on: 2026-04-03
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's SPI controller statistics allocation process. The per-CPU statistics for the controller are not allocated until after the controller has been registered with the driver core. This timing creates a window during which accessing the sysfs attributes can cause a NULL-pointer dereference, potentially leading to system instability or crashes.
The fix involves moving the statistics allocation to the time of controller allocation and tying its lifetime directly to the controller, rather than relying on implicit device resource management.
How can this vulnerability impact me? :
This vulnerability can lead to a NULL-pointer dereference when sysfs attributes are accessed during the vulnerable window. This can cause system crashes or instability, potentially affecting the reliability and availability of systems running the affected Linux kernel.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability has been fixed by updating the Linux kernel to a version where the spi controller per-cpu statistics allocation occurs during controller allocation, preventing NULL-pointer dereference.
Therefore, the immediate step to mitigate this vulnerability is to update your Linux kernel to the fixed version released on or after 2026-04-03.