Description
In the Linux kernel, the following vulnerability has been resolved:

spi: tegra210-quad: Protect curr_xfer in tegra_qspi_combined_seq_xfer

The curr_xfer field is read by the IRQ handler without holding the lock
to check if a transfer is in progress. When clearing curr_xfer in the
combined sequence transfer loop, protect it with the spinlock to prevent
a race with the interrupt handler.

Protect the curr_xfer clearing at the exit path of
tegra_qspi_combined_seq_xfer() with the spinlock to prevent a race
with the interrupt handler that reads this field.

Without this protection, the IRQ handler could read a partially updated
curr_xfer value, leading to NULL pointer dereference or use-after-free.
Published: 2026-02-14
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via kernel crash due to NULL pointer dereference or use-after‑free
Action: Apply patch
AI Analysis

Impact

The flaw stems from a race condition during communication with the tegra210‑quad SPI peripheral. One handler reads a field while another clears it without holding a lock. This can allow the handler to observe an intermediate, potentially null, state and subsequently dereference a NULL pointer or a freed object. The description does not explicitly state the consequences for the system, but it is inferred that the kernel could crash, causing denial of service. The weakness corresponds to CWE‑476.

Affected Systems

Affects the Linux kernel’s tegra210‑quad SPI driver. Versions 6.19 rc1 through rc8 contain the vulnerable code before the lock was added. Any custom kernel build that includes the unchecked tegra_qspi_combined_seq_xfer logic is also affected.

Risk and Exploitability

The CVSS score of 5.5 indicates a moderate impact. The EPSS score (<1%) suggests a very low likelihood of an active exploitation vector. It is not listed in CISA KEV. Based on the description, it is inferred that the attack would require local or privileged access to trigger the race condition, so remote exploitation is unlikely. The overall risk remains moderate with a low probability of exploitation, but the denial of service nature warrants attention.

Generated by OpenCVE AI on April 18, 2026 at 12:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes the spinlock fix for tegra_qspi_combined_seq_xfer.
  • Reboot the system to ensure the patched kernel is running.
  • If an upgrade is not immediately possible, disable or limit access to the tegra qspi device to reduce the attack surface.

Generated by OpenCVE AI on April 18, 2026 at 12:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4499-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6141-1 linux security update
Debian DSA Debian DSA DSA-6163-1 linux security update
Ubuntu USN Ubuntu USN USN-8100-1 Linux kernel (NVIDIA) vulnerabilities
Ubuntu USN Ubuntu USN USN-8163-1 Linux kernel (Azure FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-8163-2 Linux kernel (Azure) vulnerabilities
History

Thu, 19 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476
CPEs cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Tue, 17 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Sat, 14 Feb 2026 16:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: spi: tegra210-quad: Protect curr_xfer in tegra_qspi_combined_seq_xfer The curr_xfer field is read by the IRQ handler without holding the lock to check if a transfer is in progress. When clearing curr_xfer in the combined sequence transfer loop, protect it with the spinlock to prevent a race with the interrupt handler. Protect the curr_xfer clearing at the exit path of tegra_qspi_combined_seq_xfer() with the spinlock to prevent a race with the interrupt handler that reads this field. Without this protection, the IRQ handler could read a partially updated curr_xfer value, leading to NULL pointer dereference or use-after-free.
Title spi: tegra210-quad: Protect curr_xfer in tegra_qspi_combined_seq_xfer
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-02-14T16:27:26.365Z

Reserved: 2026-01-13T15:37:45.986Z

Link: CVE-2026-23202

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-02-14T17:15:58.050

Modified: 2026-03-19T16:35:07.930

Link: CVE-2026-23202

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-14T00:00:00Z

Links: CVE-2026-23202 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T12:15:15Z

Weaknesses