Description
In the Linux kernel, the following vulnerability has been resolved:

spi: use generic driver_override infrastructure

When a driver is probed through __driver_attach(), the bus' match()
callback is called without the device lock held, thus accessing the
driver_override field without a lock, which can cause a UAF.

Fix this by using the driver-core driver_override infrastructure taking
care of proper locking internally.

Note that calling match() from __driver_attach() without the device lock
held is intentional. [1]

Also note that we do not enable the driver_override feature of struct
bus_type, as SPI - in contrast to most other buses - passes "" to
sysfs_emit() when the driver_override pointer is NULL. Thus, printing
"\n" instead of "(null)\n".
Published: 2026-04-22
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Use-After-Free leading to memory corruption
Action: Apply patch
AI Analysis

Impact

During driver attachment in the Linux kernel, the SPI bus calls the match() callback without holding the device lock, allowing read of the driver_override field without proper synchronization. This race can result in a Use-After-Free condition that may corrupt memory or allow arbitrary execution of code with kernel privileges. The vulnerability arises from insufficient locking around the driver_override infrastructure; an attacker could potentially trigger it by manipulating the probing order or device removal during matchmaking, though the exact vector is not explicitly detailed in the advisory.

Affected Systems

Linux kernel for all releases affected by the unpatched driver_override handling in the SPI subsystem. The issue is present until the kernel includes the commit that uses the generic driver_override infrastructure to enforce locking.

Risk and Exploitability

The exploitability of the vulnerability relies on inducing the race condition during driver probing. The EPSS score is less than 1% and the vulnerability is not listed in CISA KEV, indicating a low likelihood of exploitation in the wild. The CVSS score of 5.5 reflects a moderate severity, primarily due to its potential to cause data corruption or privilege escalation in kernel space. The lack of an explicit fix package in the advisory suggests that updating the kernel to the patched state is the definitive mitigation action.

Generated by OpenCVE AI on April 29, 2026 at 00:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to the latest version that incorporates the driver_override fix demonstrated by the commits in the provided references.
  • Rebuild or reapply any custom kernel modules to ensure they reference the patched SPI driver implementation.
  • Monitor system logs for anomalous driver attach failures or memory errors that may indicate an attempt to exploit the race condition.

Generated by OpenCVE AI on April 29, 2026 at 00:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6238-1 linux security update
History

Tue, 28 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-416

Tue, 28 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-667
CPEs cpe:2.3:o:linux:linux_kernel:4.20:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Mon, 27 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-416

Thu, 23 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-413
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: spi: use generic driver_override infrastructure When a driver is probed through __driver_attach(), the bus' match() callback is called without the device lock held, thus accessing the driver_override field without a lock, which can cause a UAF. Fix this by using the driver-core driver_override infrastructure taking care of proper locking internally. Note that calling match() from __driver_attach() without the device lock held is intentional. [1] Also note that we do not enable the driver_override feature of struct bus_type, as SPI - in contrast to most other buses - passes "" to sysfs_emit() when the driver_override pointer is NULL. Thus, printing "\n" instead of "(null)\n".
Title spi: use generic driver_override infrastructure
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:09:40.958Z

Reserved: 2026-03-09T15:48:24.101Z

Link: CVE-2026-31487

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T14:16:46.307

Modified: 2026-04-28T13:05:08.227

Link: CVE-2026-31487

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-22T00:00:00Z

Links: CVE-2026-31487 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T00:15:43Z

Weaknesses