Description
In the Linux kernel, the following vulnerability has been resolved:

spi: tegra210-quad: Protect curr_xfer check in IRQ handler

Now that all other accesses to curr_xfer are done under the lock,
protect the curr_xfer NULL check in tegra_qspi_isr_thread() with the
spinlock. Without this protection, the following race can occur:

CPU0 (ISR thread) CPU1 (timeout path)
---------------- -------------------
if (!tqspi->curr_xfer)
// sees non-NULL
spin_lock()
tqspi->curr_xfer = NULL
spin_unlock()
handle_*_xfer()
spin_lock()
t = tqspi->curr_xfer // NULL!
... t->len ... // NULL dereference!

With this patch, all curr_xfer accesses are now properly synchronized.

Although all accesses to curr_xfer are done under the lock, in
tegra_qspi_isr_thread() it checks for NULL, releases the lock and
reacquires it later in handle_cpu_based_xfer()/handle_dma_based_xfer().
There is a potential for an update in between, which could cause a NULL
pointer dereference.

To handle this, add a NULL check inside the handlers after acquiring
the lock. This ensures that if the timeout path has already cleared
curr_xfer, the handler will safely return without dereferencing the
NULL pointer.
Published: 2026-02-14
Score: 4.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service (kernel crash caused by NULL pointer dereference)
Action: Apply Patch
AI Analysis

Impact

A race condition in the Linux tegra210-quad SPI driver allows the shared transfer pointer to become NULL while an interrupt handler still assumes it is valid, resulting in a NULL pointer dereference and a possible kernel panic. The flaw originates from unsynchronized access of the curr_xfer field during ISR processing and timeout handling, and the description clarifies that the patch adds locking and an additional NULL check to prevent this unsafe access. The vulnerability is a concurrency bug that leads to integrity and availability loss at the kernel level, but does not provide an attack vector for code execution or data exfiltration.

Affected Systems

Linux kernel versions 6.19 release candidates (rc1 through rc8) are affected. The issue exists in the tegra210-quad SPI driver and any system running those kernel versions on Tegra hardware. No specific vendor name is given beyond the Linux kernel.

Risk and Exploitability

The CVSS score of 4.7 indicates a moderate severity, and the EPSS score of less than 1% reflects a very low probability of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog, suggesting no known public exploits. The likely attack vector is local and requires the attacker to trigger the race condition by initiating SPI transfers and causing a timeout on a Tegra platform. The impact is limited to a kernel crash, which would bring the operating system down. The overall risk remains moderate due to the low exploitation likelihood and the need for local, privileged access to exploit the race.

Generated by OpenCVE AI on April 15, 2026 at 20:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the kernel to a version that includes the tegra210-quad ISR lock and NULL‑check patch (e.g., Linux kernel 6.19 rc9 or later).
  • Verify that the patch commit (e.g., 2ac3a105e514...) is present in the running kernel by inspecting the source or using dmesg.
  • If upgrading is not immediately possible, disable the tegra_qspi driver module or restrict SPI access until the patch is applied to prevent the race condition from occurring.

Generated by OpenCVE AI on April 15, 2026 at 20:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Ubuntu USN Ubuntu USN USN-8100-1 Linux kernel (NVIDIA) vulnerabilities
Ubuntu USN Ubuntu USN USN-8163-1 Linux kernel (Azure FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-8163-2 Linux kernel (Azure) vulnerabilities
History

Thu, 02 Apr 2026 11:45:00 +0000

Type Values Removed Values Added
References

Wed, 18 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-416
CPEs cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Tue, 17 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Sat, 14 Feb 2026 16:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: spi: tegra210-quad: Protect curr_xfer check in IRQ handler Now that all other accesses to curr_xfer are done under the lock, protect the curr_xfer NULL check in tegra_qspi_isr_thread() with the spinlock. Without this protection, the following race can occur: CPU0 (ISR thread) CPU1 (timeout path) ---------------- ------------------- if (!tqspi->curr_xfer) // sees non-NULL spin_lock() tqspi->curr_xfer = NULL spin_unlock() handle_*_xfer() spin_lock() t = tqspi->curr_xfer // NULL! ... t->len ... // NULL dereference! With this patch, all curr_xfer accesses are now properly synchronized. Although all accesses to curr_xfer are done under the lock, in tegra_qspi_isr_thread() it checks for NULL, releases the lock and reacquires it later in handle_cpu_based_xfer()/handle_dma_based_xfer(). There is a potential for an update in between, which could cause a NULL pointer dereference. To handle this, add a NULL check inside the handlers after acquiring the lock. This ensures that if the timeout path has already cleared curr_xfer, the handler will safely return without dereferencing the NULL pointer.
Title spi: tegra210-quad: Protect curr_xfer check in IRQ handler
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-02T11:30:51.428Z

Reserved: 2026-01-13T15:37:45.986Z

Link: CVE-2026-23207

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2026-02-14T17:15:58.610

Modified: 2026-04-02T12:16:19.293

Link: CVE-2026-23207

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-14T00:00:00Z

Links: CVE-2026-23207 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T20:30:13Z

Weaknesses