Description
In the Linux kernel, the following vulnerability has been resolved:

spi: spi-fsl-lpspi: fix teardown order issue (UAF)

There is a teardown order issue in the driver. The SPI controller is
registered using devm_spi_register_controller(), which delays
unregistration of the SPI controller until after the fsl_lpspi_remove()
function returns.

As the fsl_lpspi_remove() function synchronously tears down the DMA
channels, a running SPI transfer triggers the following NULL pointer
dereference due to use after free:

| fsl_lpspi 42550000.spi: I/O Error in DMA RX
| Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
[...]
| Call trace:
| fsl_lpspi_dma_transfer+0x260/0x340 [spi_fsl_lpspi]
| fsl_lpspi_transfer_one+0x198/0x448 [spi_fsl_lpspi]
| spi_transfer_one_message+0x49c/0x7c8
| __spi_pump_transfer_message+0x120/0x420
| __spi_sync+0x2c4/0x520
| spi_sync+0x34/0x60
| spidev_message+0x20c/0x378 [spidev]
| spidev_ioctl+0x398/0x750 [spidev]
[...]

Switch from devm_spi_register_controller() to spi_register_controller() in
fsl_lpspi_probe() and add the corresponding spi_unregister_controller() in
fsl_lpspi_remove().
Published: 2026-04-22
Score: 7.0 High
EPSS: n/a
KEV: No
Impact: Kernel Crash (Denial of Service)
Action: Immediate Patch
AI Analysis

Impact

The spi-fsl-lpspi driver in the Linux kernel contains a teardown order bug that causes a use‑after‑free of the DMA channel structures while a SPI transfer is in progress. When the driver’s remove function tears down the DMA channels synchronously, the controller register remains freed, and a continued SPI transfer dereferences a null pointer. The resulting NULL pointer dereference triggers a kernel panic, leading to a system crash. This flaw could enable a local attacker that can drive the SPI controller to cause loss of availability or, if the crash can be fully controlled, potentially to elevate privileges or execute code in kernel space.

Affected Systems

All Linux kernel distributions that include the Freescale/NXP LPSPI (low‑power serial peripheral interface) SPI driver are affected. The vulnerability is present wherever the spi-fsl-lpspi module is loaded, regardless of kernel release, because no specific version is listed. Users of embedded devices, routers, or virtualization guests that rely on this driver are subject to the risk.

Risk and Exploitability

The CVSS score is not supplied, and the EPSS score is unavailable, so the precise quantitative risk is unknown. However, the flaw is an unchecked use‑after‑free that can be triggered by performing a SPI transfer while the driver is being removed, which is an action a local user with access to the device node or a privileged process can conceivably perform. The lack of a public KEV listing suggests that known exploits are not yet documented. In the absence of a high EPSS score, the primary threat is a potential local denial of service with a risk of privilege escalation if the kernel crash can be manipulated for code execution. The attack vector is inferred to be local, requiring the ability to initiate or control SPI transfers during driver unregistration.

Generated by OpenCVE AI on April 22, 2026 at 18:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑provided patch or upgrade to a kernel version that replaces devm_spi_register_controller with spi_register_controller and adds spi_unregister_controller during removal.
  • Temporarily restrict spidev device access or stop services that issue SPI transfers while performing the driver removal, ensuring no transactions are in progress.
  • Reboot the system following the update or restriction to fully reload the driver and verify that no NULL pointer dereference messages appear in kernel logs.

Generated by OpenCVE AI on April 22, 2026 at 18:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 22 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: spi: spi-fsl-lpspi: fix teardown order issue (UAF) There is a teardown order issue in the driver. The SPI controller is registered using devm_spi_register_controller(), which delays unregistration of the SPI controller until after the fsl_lpspi_remove() function returns. As the fsl_lpspi_remove() function synchronously tears down the DMA channels, a running SPI transfer triggers the following NULL pointer dereference due to use after free: | fsl_lpspi 42550000.spi: I/O Error in DMA RX | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [...] | Call trace: | fsl_lpspi_dma_transfer+0x260/0x340 [spi_fsl_lpspi] | fsl_lpspi_transfer_one+0x198/0x448 [spi_fsl_lpspi] | spi_transfer_one_message+0x49c/0x7c8 | __spi_pump_transfer_message+0x120/0x420 | __spi_sync+0x2c4/0x520 | spi_sync+0x34/0x60 | spidev_message+0x20c/0x378 [spidev] | spidev_ioctl+0x398/0x750 [spidev] [...] Switch from devm_spi_register_controller() to spi_register_controller() in fsl_lpspi_probe() and add the corresponding spi_unregister_controller() in fsl_lpspi_remove().
Title spi: spi-fsl-lpspi: fix teardown order issue (UAF)
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-22T13:54:10.892Z

Reserved: 2026-03-09T15:48:24.101Z

Link: CVE-2026-31485

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-22T14:16:45.923

Modified: 2026-04-22T14:16:45.923

Link: CVE-2026-31485

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-22T00:00:00Z

Links: CVE-2026-31485 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T19:00:08Z

Weaknesses