Description
In the Linux kernel, the following vulnerability has been resolved:

spi: spi-sprd-adi: Fix double free in probe error path

The driver currently uses spi_alloc_host() to allocate the controller
but registers it using devm_spi_register_controller().

If devm_register_restart_handler() fails, the code jumps to the
put_ctlr label and calls spi_controller_put(). However, since the
controller was registered via a devm function, the device core will
automatically call spi_controller_put() again when the probe fails.
This results in a double-free of the spi_controller structure.

Fix this by switching to devm_spi_alloc_host() and removing the
manual spi_controller_put() call.
Published: 2026-02-04
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Double free of SPI controller causing kernel memory corruption and potential crash or arbitrary code execution
Action: Patch Now
AI Analysis

Impact

The vulnerability is a double free in the Linux kernel’s SPI driver for SPRD ADI devices. When probe registration fails, the driver releases the controller both manually and through the device core, corrupting the kernel’s memory management of the SPI controller. This leads to a double free identified as CWE‑415, which can cause kernel crashes and potentially allow local attackers to execute arbitrary code or gain elevated privileges within the kernel context.

Affected Systems

The issue affects Linux kernel 6.19 release candidates from rc1 through rc6, as indicated by the vendor’s CPE listings. Systems running these kernel versions without the patch are susceptible.

Risk and Exploitability

With a CVSS score of 7.8, the vulnerability presents a medium‑high severity. The current EPSS score is below 1 %, suggesting a low probability of exploitation at present, and it is not listed in CISA’s KEV catalog. Nevertheless, the double‑free flaw can be invoked through the driver’s error path and may lead to kernel instability or privilege escalation for users with local access that can trigger the problematic probe sequence.

Generated by OpenCVE AI on April 18, 2026 at 13:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the system’s kernel to a version that includes the fix (e.g., 6.19‑rc7 or later).
  • If an immediate kernel upgrade is not possible, blacklist or unload the spi-sprd-adi driver to prevent the double‑free error from occurring.
  • Continuously monitor kernel logs for related panics or OOPS messages and report any anomalies to the vendor.

Generated by OpenCVE AI on April 18, 2026 at 13:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4476-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6126-1 linux security update
Debian DSA Debian DSA DSA-6127-1 linux security update
History

Fri, 13 Mar 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-415
CPEs cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 06 Feb 2026 16:45:00 +0000

Type Values Removed Values Added
References

Thu, 05 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
References

Wed, 04 Feb 2026 16:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: spi: spi-sprd-adi: Fix double free in probe error path The driver currently uses spi_alloc_host() to allocate the controller but registers it using devm_spi_register_controller(). If devm_register_restart_handler() fails, the code jumps to the put_ctlr label and calls spi_controller_put(). However, since the controller was registered via a devm function, the device core will automatically call spi_controller_put() again when the probe fails. This results in a double-free of the spi_controller structure. Fix this by switching to devm_spi_alloc_host() and removing the manual spi_controller_put() call.
Title spi: spi-sprd-adi: Fix double free in probe error path
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-02-09T08:38:07.365Z

Reserved: 2026-01-13T15:37:45.954Z

Link: CVE-2026-23068

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-02-04T17:16:17.500

Modified: 2026-03-13T21:27:37.353

Link: CVE-2026-23068

cve-icon Redhat

Severity :

Publid Date: 2026-02-04T00:00:00Z

Links: CVE-2026-23068 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T14:00:02Z

Weaknesses