CVE-2026-43460
Double-Free in Rockchip SFC Linux Kernel Driver
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux_kernel | linux_kernel | * |
| rockchip | rockchip-sfc | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a double-free issue in the Linux kernel's rockchip-sfc SPI driver. The driver uses devm_spi_register_controller() to register the SPI controller, which automatically unregisters the controller when the device is removed. However, the remove() callback manually calls spi_unregister_controller(), causing the controller to be freed twice.
To fix this, the registration method was changed to spi_register_controller() in the probe() function to ensure the controller is unregistered before the DMA buffer is unmapped, preventing the double-free condition.
How can this vulnerability impact me? :
A double-free vulnerability can lead to undefined behavior such as memory corruption, system crashes, or potential exploitation by attackers to execute arbitrary code or cause denial of service.
In this specific case, the double-free in the SPI driver could destabilize the Linux kernel on affected systems, potentially impacting system reliability and security.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update the Linux kernel to a version where the fix has been applied. The fix involves changing the driver to use spi_register_controller() in the probe() function instead of devm_spi_register_controller(), preventing the double-free issue in the remove() callback.
Avoid manually calling spi_unregister_controller() in the remove() callback for the affected driver to prevent double-free errors.