HIGH
spi Controller UAF
CVE-2026-31389
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI6.7MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: spi: fix use-after-free on controller registration failure Make sure to deregister from driver core also in the unlikely event that per-cpu statistics allocation fails during controller registration to avoid use-after-free (of driver resources) and unclocked register accesses.
02KernelScan AI Analysis
Risk summary
A use-after-free vulnerability in SPI controller registration can lead to kernel memory corruption when per-cpu statistics allocation fails. This affects systems with SPI hardware during driver initialization and requires privileged access to trigger.
Vulnerability analysis
The vulnerability occurs in spi_register_controller() when per-cpu statistics allocation fails after device registration with the driver core. The original code failed to call device_del() in this error path, leaving a dangling device registration while the controller structure could be freed. This creates a use-after-free condition when the driver core later accesses the freed controller resources. The fix ensures proper cleanup by adding device_del() to the error path and consolidating cleanup flow.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.1 | 6.1.167 | 0e23f50086da |
| 6.12 | 6.12.78 | afe27c1f43aa |
| 6.18 | 6.18.20 | 80f3e8cd2b4a |
| 6.19 | 6.19.10 | 23b51bad2eb8 |
| 6.6 | 6.6.130 | 6bbd385b30c7 |
| mainline | 7.0 | 8634e05b08ea |