CVE-2026-31389 - Vulnerability Details

- spi: fix use-after-free on controller registration failure

Description

In the Linux kernel, the following vulnerability has been resolved:

spi: fix use-after-free on controller registration failure

Make sure to deregister from driver core also in the unlikely event that
per-cpu statistics allocation fails during controller registration to
avoid use-after-free (of driver resources) and unclocked register
accesses.

Published: 2026-04-03

Score: 7.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a use‑after‑free condition in the Linux kernel’s SPI controller registration path. When per‑CPU statistics allocation fails, the kernel does not deregister the driver correctly, leaving freed driver resources that can still be accessed. Failure to clean up in this unlikely scenario can lead to an attacker executing arbitrary code inside the kernel or causing a crash. The weakness is formally classified as CWE‑825.

Affected Systems

All Linux kernel implementations that include the affected SPI registration code are vulnerable. The flaw exists in the mainline kernel source that was current when the fix was made. No specific downstream distribution or kernel release list is supplied, so any system running an unpatched kernel before the commit that introduced the removal of this bug is at risk.

Risk and Exploitability

The CVSS rating of 7.8 indicates a high severity, and the EPSS value of less than 1 % suggests that exploitation is unlikely in the wild. The defect is not listed in CISA’s KEV catalog. A successful exploitation would require local kernel access or the ability to trigger the controller registration failure, which is an inferred local attack vector; remote exploitation is not documented.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`6598b91b5ac32bc756d7c3000a31f775d4ead1c4`	affected	< 0e23f50086da7d0b183dfeac26021acfcdee086b
`6598b91b5ac32bc756d7c3000a31f775d4ead1c4`	affected	< 6bbd385b30c7fb6c7ee0669e9ada91490938c051
`6598b91b5ac32bc756d7c3000a31f775d4ead1c4`	affected	< afe27c1f43aa57530011f419be6ddf71306565d2
`6598b91b5ac32bc756d7c3000a31f775d4ead1c4`	affected	< 80f3e8cd2b4ad355b2ad2024cf423f6d183404f7
`6598b91b5ac32bc756d7c3000a31f775d4ead1c4`	affected	< 23b51bad2eb8787aa74324cfccefb258515ae5ba
`6598b91b5ac32bc756d7c3000a31f775d4ead1c4`	affected	< 8634e05b08ead636e926022f4a98416e13440df9

Linux

affected

Version	Status	Constraints
`6.0`	affected	—
`0`	unaffected	< 6.0
`6.1.167`	unaffected	≤ 6.1.*
`6.6.130`	unaffected	≤ 6.6.*
`6.12.78`	unaffected	≤ 6.12.*
`6.18.20`	unaffected	≤ 6.18.*
`6.19.10`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[6598b91b5ac32bc756d7c3000a31f775d4ead1c4,0e23f50086da7d0b183dfeac26021acfcdee086b)`	affected	code_commit	—
`[6598b91b5ac32bc756d7c3000a31f775d4ead1c4,6bbd385b30c7fb6c7ee0669e9ada91490938c051)`	affected	code_commit	—
`[6598b91b5ac32bc756d7c3000a31f775d4ead1c4,afe27c1f43aa57530011f419be6ddf71306565d2)`	affected	code_commit	—
`[6598b91b5ac32bc756d7c3000a31f775d4ead1c4,80f3e8cd2b4ad355b2ad2024cf423f6d183404f7)`	affected	code_commit	—
`[6598b91b5ac32bc756d7c3000a31f775d4ead1c4,23b51bad2eb8787aa74324cfccefb258515ae5ba)`	affected	code_commit	—
`[6598b91b5ac32bc756d7c3000a31f775d4ead1c4,8634e05b08ead636e926022f4a98416e13440df9)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.0`	affected	semver	—
`[0,6.0)`	unaffected	generic	—
`[6.1.167,6.1.*]`	unaffected	generic	—
`[6.6.130,6.6.*]`	unaffected	generic	—
`[6.12.78,6.12.*]`	unaffected	generic	—
`[6.18.20,6.18.*]`	unaffected	generic	—
`[6.19.10,6.19.*]`	unaffected	generic	—
`[7.0-rc5,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the kernel to a release that includes the SPI controller use‑after‑free fix.
Ensure that all modules interacting with the SPI controller are compiled for the new kernel or are replaced with updated versions that include the fix.
If an immediate kernel update is not available, restrict SPI controller use by disabling unnecessary devices at boot or using device tree overrides to avoid dynamic registration.

Generated by OpenCVE AI on April 28, 2026 at 16:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/0e23f50086da7d0b183dfeac26021acfcdee086b
https://git.kernel.org/stable/c/23b51bad2eb8787aa74324cfccefb258515ae5ba
https://git.kernel.org/stable/c/6bbd385b30c7fb6c7ee0669e9ada91490938c051
https://git.kernel.org/stable/c/80f3e8cd2b4ad355b2ad2024cf423f6d183404f7
https://git.kernel.org/stable/c/8634e05b08ead636e926022f4a98416e13440df9
https://git.kernel.org/stable/c/afe27c1f43aa57530011f419be6ddf71306565d2
https://lore.kernel.org/linux-cve-announce/2026040324-CVE-2026-31389-036b@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31389
https://www.cve.org/CVERecord?id=CVE-2026-31389

History

Mon, 27 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 4.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H'}`	cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Tue, 07 Apr 2026 08:00:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-416

Sat, 04 Apr 2026 01:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-825
References		https://lore.kernel.org/linux-cve-announce/2026040324-CVE-2026-31389-036b@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31389 https://www.cve.org/CVERecord?id=CVE-2026-31389
Metrics	threat_severity `None`	cvssV3_1 `{'score': 4.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Fri, 03 Apr 2026 21:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416

Fri, 03 Apr 2026 16:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: spi: fix use-after-free on controller registration failure Make sure to deregister from driver core also in the unlikely event that per-cpu statistics allocation fails during controller registration to avoid use-after-free (of driver resources) and unclocked register accesses.
Title		spi: fix use-after-free on controller registration failure
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0e23f50086da7d0b183dfeac26021acfcdee086b https://git.kernel.org/stable/c/23b51bad2eb8787aa74324cfccefb258515ae5ba https://git.kernel.org/stable/c/6bbd385b30c7fb6c7ee0669e9ada91490938c051 https://git.kernel.org/stable/c/80f3e8cd2b4ad355b2ad2024cf423f6d183404f7 https://git.kernel.org/stable/c/8634e05b08ead636e926022f4a98416e13440df9 https://git.kernel.org/stable/c/afe27c1f43aa57530011f419be6ddf71306565d2

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-03T15:15:55.068Z

Updated: 2026-04-27T14:02:41.755Z

Reserved: 2026-03-09T15:48:24.084Z

Link: CVE-2026-31389

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-04-03T16:16:36.823

Modified: 2026-04-27T14:16:35.207

Link: CVE-2026-31389

Redhat

Severity : Moderate

Publid Date: 2026-04-03T00:00:00Z

Links: CVE-2026-31389 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-28T16:45:06Z

Weaknesses

CWE-825

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object