CVE-2026-31485
Received Received - Intake
Use-After-Free in Linux spi-fsl-lpspi Driver Causes Kernel Crash

Publication date: 2026-04-22

Last updated on: 2026-04-28

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: spi: spi-fsl-lpspi: fix teardown order issue (UAF) There is a teardown order issue in the driver. The SPI controller is registered using devm_spi_register_controller(), which delays unregistration of the SPI controller until after the fsl_lpspi_remove() function returns. As the fsl_lpspi_remove() function synchronously tears down the DMA channels, a running SPI transfer triggers the following NULL pointer dereference due to use after free: | fsl_lpspi 42550000.spi: I/O Error in DMA RX | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [...] | Call trace: | fsl_lpspi_dma_transfer+0x260/0x340 [spi_fsl_lpspi] | fsl_lpspi_transfer_one+0x198/0x448 [spi_fsl_lpspi] | spi_transfer_one_message+0x49c/0x7c8 | __spi_pump_transfer_message+0x120/0x420 | __spi_sync+0x2c4/0x520 | spi_sync+0x34/0x60 | spidev_message+0x20c/0x378 [spidev] | spidev_ioctl+0x398/0x750 [spidev] [...] Switch from devm_spi_register_controller() to spi_register_controller() in fsl_lpspi_probe() and add the corresponding spi_unregister_controller() in fsl_lpspi_remove().
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-04-28
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31485
EUVD
EUVD-2026-24849
Affected Vendors & Products
Showing 15 associated CPEs
Vendor Product Version / Range
linux linux_kernel 4.10
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 5.11 (inc) to 5.15.203 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.168 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.21 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.11 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.131 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.80 (exc)
linux linux_kernel From 4.10.1 (inc) to 5.10.253 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a use-after-free (UAF) issue in the Linux kernel's spi-fsl-lpspi driver. It occurs because the SPI controller is registered with devm_spi_register_controller(), which delays its unregistration until after the fsl_lpspi_remove() function returns. However, fsl_lpspi_remove() tears down DMA channels synchronously, and if an SPI transfer is running during this teardown, it can cause a NULL pointer dereference leading to an I/O error and kernel crash.

The fix involved changing the registration method to spi_register_controller() in the probe function and adding a corresponding spi_unregister_controller() in the remove function to ensure proper teardown order and avoid the use-after-free condition.

Impact Analysis

This vulnerability can cause kernel crashes due to NULL pointer dereferences when an SPI transfer is active during device removal. This can lead to system instability, potential data loss, or denial of service on affected systems using the spi-fsl-lpspi driver.

Detection Guidance

This vulnerability manifests as a NULL pointer dereference in the fsl_lpspi driver during SPI transfers, which can cause I/O errors and kernel crashes.

Detection can involve monitoring kernel logs for error messages related to the fsl_lpspi driver, such as 'I/O Error in DMA RX' or 'Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000'.

  • Use the command: dmesg | grep fsl_lpspi
  • Check for kernel oops or panic messages related to SPI transfers in system logs: journalctl -k | grep -i spi
  • Monitor for abnormal SPI device behavior or failures during DMA transfers.
Mitigation Strategies

The vulnerability is caused by a teardown order issue in the fsl_lpspi SPI driver, leading to use-after-free during DMA transfers.

Immediate mitigation steps include updating the Linux kernel to a version where this issue is fixed, specifically where the driver switches from devm_spi_register_controller() to spi_register_controller() and adds spi_unregister_controller() in the remove function.

If updating the kernel is not immediately possible, avoid running SPI transfers on the affected controller during device removal or shutdown to prevent triggering the use-after-free condition.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31485. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart