CVE-2026-23475

MEDIUM

spi: fix statistics allocation

Title source: cna
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: spi: fix statistics allocation The controller per-cpu statistics is not allocated until after the controller has been registered with driver core, which leaves a window where accessing the sysfs attributes can trigger a NULL-pointer dereference. Fix this by moving the statistics allocation to controller allocation while tying its lifetime to that of the controller (rather than using implicit devres).

Scores

CVSS v3 5.5
EPSS 0.0012
EPSS Percentile 2.4%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-476
Status published
Products (22)
linux/Kernel 6.0.0 - 6.1.167linux
linux/Kernel 6.13.0 - 6.18.20linux
linux/Kernel 6.19.0 - 6.19.10linux
linux/Kernel 6.2.0 - 6.6.130linux
linux/Kernel 6.7.0 - 6.12.78linux
Linux/Linux < 6.0
Linux/Linux 6.0
Linux/Linux 6.1.167 - 6.1.*
Linux/Linux 6.12.78 - 6.12.*
Linux/Linux 6.18.20 - 6.18.*
... and 12 more
Published Apr 03, 2026
Tracked Since Apr 03, 2026