Description
In the Linux kernel, the following vulnerability has been resolved:

spi: fix statistics allocation

The controller per-cpu statistics is not allocated until after the
controller has been registered with driver core, which leaves a window
where accessing the sysfs attributes can trigger a NULL-pointer
dereference.

Fix this by moving the statistics allocation to controller allocation
while tying its lifetime to that of the controller (rather than using
implicit devres).
Published: 2026-04-03
Score: 5.5 Medium
EPSS: n/a
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

In the Linux kernel, the SPI subsystem contains a flaw where controller statistics are allocated only after the controller has been registered with driver core. Until that point, accessing sysfs attributes for the controller can dereference a NULL pointer, which triggers a kernel panic. This results in a denial of service by crashing the kernel.

Affected Systems

The flaw affects all Linux kernel versions that include the pre‑commit SPI driver code. Any system running a kernel build that has not incorporated the change that allocates statistics during controller construction is vulnerable. The affected product is the Linux kernel, specifically the SPI core.

Risk and Exploitability

The CVSS score is not provided, and the EPSS score is unavailable, indicating no publicly available data on exploitation potential. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector requires local access to the SPI sysfs attributes; an attacker would need to read or write these attributes before the controller is fully registered. Successful exploitation leads to a kernel panic and system reboot, but no public exploits are currently documented.

Generated by OpenCVE AI on April 3, 2026 at 20:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that includes the commit allocating controller statistics during construction.
  • If an update cannot be applied immediately, unbind or disable the affected SPI devices to remove sysfs exposure until the patch is available.
  • Restrict read/write permissions on the SPI sysfs attributes to privileged users only to reduce the attack surface.

Generated by OpenCVE AI on April 3, 2026 at 20:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 04 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-824
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low

Fri, 03 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: spi: fix statistics allocation The controller per-cpu statistics is not allocated until after the controller has been registered with driver core, which leaves a window where accessing the sysfs attributes can trigger a NULL-pointer dereference. Fix this by moving the statistics allocation to controller allocation while tying its lifetime to that of the controller (rather than using implicit devres).
Title spi: fix statistics allocation
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-03T15:15:54.211Z

Reserved: 2026-01-13T15:37:46.022Z

Link: CVE-2026-23475

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-03T16:16:35.440

Modified: 2026-04-03T16:16:35.440

Link: CVE-2026-23475

cve-icon Redhat

Severity : Low

Publid Date: 2026-04-03T00:00:00Z

Links: CVE-2026-23475 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T21:15:39Z

Weaknesses