CVE-2026-31485
Use-After-Free in Linux spi-fsl-lpspi Driver Causes Kernel Crash
Publication date: 2026-04-22
Last updated on: 2026-04-28
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | 4.10 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | From 5.11 (inc) to 5.15.203 (exc) |
| linux | linux_kernel | From 5.16 (inc) to 6.1.168 (exc) |
| linux | linux_kernel | From 6.13 (inc) to 6.18.21 (exc) |
| linux | linux_kernel | From 6.19 (inc) to 6.19.11 (exc) |
| linux | linux_kernel | From 6.2 (inc) to 6.6.131 (exc) |
| linux | linux_kernel | From 6.7 (inc) to 6.12.80 (exc) |
| linux | linux_kernel | From 4.10.1 (inc) to 5.10.253 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-416 | The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a use-after-free (UAF) issue in the Linux kernel's spi-fsl-lpspi driver. It occurs because the SPI controller is registered with devm_spi_register_controller(), which delays its unregistration until after the fsl_lpspi_remove() function returns. However, fsl_lpspi_remove() tears down DMA channels synchronously, and if an SPI transfer is running during this teardown, it can cause a NULL pointer dereference leading to an I/O error and kernel crash.
The fix involved changing the registration method to spi_register_controller() in the probe function and adding a corresponding spi_unregister_controller() in the remove function to ensure proper teardown order and avoid the use-after-free condition.
How can this vulnerability impact me? :
This vulnerability can cause kernel crashes due to NULL pointer dereferences when an SPI transfer is active during device removal. This can lead to system instability, potential data loss, or denial of service on affected systems using the spi-fsl-lpspi driver.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability manifests as a NULL pointer dereference in the fsl_lpspi driver during SPI transfers, which can cause I/O errors and kernel crashes.
Detection can involve monitoring kernel logs for error messages related to the fsl_lpspi driver, such as 'I/O Error in DMA RX' or 'Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000'.
- Use the command: dmesg | grep fsl_lpspi
- Check for kernel oops or panic messages related to SPI transfers in system logs: journalctl -k | grep -i spi
- Monitor for abnormal SPI device behavior or failures during DMA transfers.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is caused by a teardown order issue in the fsl_lpspi SPI driver, leading to use-after-free during DMA transfers.
Immediate mitigation steps include updating the Linux kernel to a version where this issue is fixed, specifically where the driver switches from devm_spi_register_controller() to spi_register_controller() and adds spi_unregister_controller() in the remove function.
If updating the kernel is not immediately possible, avoid running SPI transfers on the affected controller during device removal or shutdown to prevent triggering the use-after-free condition.