CVE-2026-46226 - Vulnerability Details

- spi: fsl: fix controller deregistration

Description

In the Linux kernel, the following vulnerability has been resolved:

spi: fsl: fix controller deregistration

Make sure to deregister the controller before releasing underlying
resources like DMA during driver unbind.

Published: 2026-05-28

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability involves the Linux kernel's SPI controller driver for Freescale devices. During driver unbinding, the controller was released without proper deregistration first, causing underlying resources such as DMA to be freed while the controller still referenced them. This improper cleanup can lead to memory corruption, system crashes, or even privilege escalation if exploited.

Affected Systems

All Linux kernel builds that include the affected SPI fsl driver before the patch. No specific operating system releases were listed; any installation of a Linux kernel from the time before the commit that contains the faulty driver is potentially affected.

Risk and Exploitability

The CVSS score and EPSS data are not available, and the vulnerability is not listed in the CISA KEV catalog. However, the nature of the flaw—kernel memory corruption during driver unbind—indicates a high risk if an attacker can trigger driver removal. The likely attack vector is through local or remote code execution that forces the device to be unbound, which could be leveraged by privileged services or, in theory, a remote attacker if such a service is exposed. The risk remains high due to the kernel's privileged context and the potential for arbitrary code execution or system instability.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`4178b6b1b595003cd6e04711b449797a582e44f5`	affected	< 562d954a144950ec2aa6a874ae657cb3fa31fe53
`4178b6b1b595003cd6e04711b449797a582e44f5`	affected	< e888308222375ac28bae69134dae288178718a96
`4178b6b1b595003cd6e04711b449797a582e44f5`	affected	< ca3195c7b88362d7c81efe685948663a9f9db0e6
`4178b6b1b595003cd6e04711b449797a582e44f5`	affected	< 5750743a39c9d46ac9fcf57ffe000956da4942cf
`4178b6b1b595003cd6e04711b449797a582e44f5`	affected	< 9b7abfed4c3754062d1f3ffd452e65a38667f586

Linux

affected

Version	Status	Constraints
`4.3`	affected	—
`0`	unaffected	< 4.3
`6.6.140`	unaffected	≤ 6.6.*
`6.12.90`	unaffected	≤ 6.12.*
`6.18.32`	unaffected	≤ 6.18.*
`7.0.9`	unaffected	≤ 7.0.*
`7.1-rc1`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that includes the patch applying the proper controller deregistration before resource release
Disable or restrict any automatic or manual device unbinding actions (e.g., via sysfs) for the affected SPI device until the kernel is updated
Apply a local kernel patch by integrating the commits that fix the deregistration logic if a vendor update is not yet available

Generated by OpenCVE AI on May 28, 2026 at 12:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/562d954a144950ec2aa6a874ae657cb3fa31fe53
https://git.kernel.org/stable/c/5750743a39c9d46ac9fcf57ffe000956da4942cf
https://git.kernel.org/stable/c/9b7abfed4c3754062d1f3ffd452e65a38667f586
https://git.kernel.org/stable/c/ca3195c7b88362d7c81efe685948663a9f9db0e6
https://git.kernel.org/stable/c/e888308222375ac28bae69134dae288178718a96

History

Thu, 28 May 2026 10:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: spi: fsl: fix controller deregistration Make sure to deregister the controller before releasing underlying resources like DMA during driver unbind.
Title		spi: fsl: fix controller deregistration
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/562d954a144950ec2aa6a874ae657cb3fa31fe53 https://git.kernel.org/stable/c/5750743a39c9d46ac9fcf57ffe000956da4942cf https://git.kernel.org/stable/c/9b7abfed4c3754062d1f3ffd452e65a38667f586 https://git.kernel.org/stable/c/ca3195c7b88362d7c81efe685948663a9f9db0e6 https://git.kernel.org/stable/c/e888308222375ac28bae69134dae288178718a96

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-28T09:40:46.027Z

Updated: 2026-05-28T09:40:46.027Z

Reserved: 2026-05-13T15:03:33.106Z

Link: CVE-2026-46226

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-28T10:16:38.227

Modified: 2026-05-28T13:44:01.663

Link: CVE-2026-46226

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-28T13:00:21Z

Weaknesses

No weakness.

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object