CVE-2026-43460
Analyzed Analyzed - Analysis Complete
Double-Free in Rockchip SFC Linux Kernel Driver

Publication date: 2026-05-08

Last updated on: 2026-05-20

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: spi: rockchip-sfc: Fix double-free in remove() callback The driver uses devm_spi_register_controller() for registration, which automatically unregisters the controller via devm cleanup when the device is removed. The manual call to spi_unregister_controller() in the remove() callback can lead to a double-free. And to make sure controller is unregistered before DMA buffer is unmapped, switch to use spi_register_controller() in probe().
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-20
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-43460
EUVD
EUVD-2026-28766
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.19 (inc) to 6.19.9 (exc)
linux linux_kernel From 6.14 (inc) to 6.18.19 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-415 The product calls free() twice on the same memory address.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a double-free issue in the Linux kernel's rockchip-sfc SPI driver. The driver uses devm_spi_register_controller() to register the SPI controller, which automatically unregisters the controller when the device is removed. However, the remove() callback manually calls spi_unregister_controller(), causing the controller to be freed twice.

To fix this, the registration method was changed to spi_register_controller() in the probe() function to ensure the controller is unregistered before the DMA buffer is unmapped, preventing the double-free condition.

Impact Analysis

A double-free vulnerability can lead to undefined behavior such as memory corruption, system crashes, or potential exploitation by attackers to execute arbitrary code or cause denial of service.

In this specific case, the double-free in the SPI driver could destabilize the Linux kernel on affected systems, potentially impacting system reliability and security.

Mitigation Strategies

To mitigate this vulnerability, update the Linux kernel to a version where the fix has been applied. The fix involves changing the driver to use spi_register_controller() in the probe() function instead of devm_spi_register_controller(), preventing the double-free issue in the remove() callback.

Avoid manually calling spi_unregister_controller() in the remove() callback for the affected driver to prevent double-free errors.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43460. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart