Description
In the Linux kernel, the following vulnerability has been resolved:

spi: fsl: fix controller deregistration

Make sure to deregister the controller before releasing underlying
resources like DMA during driver unbind.
Published: 2026-05-28
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the SPI controller driver for Freescale devices in the Linux kernel. During driver unbinding, the controller was freed before proper deregistration, causing resources such as DMA descriptors to be released while the controller still referenced them. This flaw can lead to memory corruption and system crashes. The issue was resolved by ensuring the controller is deregistered prior to releasing underlying resources.

Affected Systems

Linux kernel builds containing the affected SPI fsl driver prior to the patch. Any installation of a kernel version before the commit that introduces the fix may be vulnerable, regardless of specific distribution.

Risk and Exploitability

The EPSS score indicates a very low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The flaw has a CVSS score of 5.5, indicating a medium impact. Based on the description, it is inferred that an attacker would need the ability to trigger the unbinding of the device, possibly via a local or remote interface that can unbind devices or through a vulnerable privileged service. Thus the potential impact remains significant, but the likelihood of exploitation is low.

Generated by OpenCVE AI on June 10, 2026 at 21:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the kernel to a version that contains the patch for proper controller deregistration
  • Restrict access to sysfs interfaces that allow device unbinding for the affected SPI device until the kernel is updated
  • If a vendor update is not yet available, apply a local kernel patch by cherry‑picking the commits that fix the deregistration logic

Generated by OpenCVE AI on June 10, 2026 at 21:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Fri, 29 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-826
References

Thu, 28 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: spi: fsl: fix controller deregistration Make sure to deregister the controller before releasing underlying resources like DMA during driver unbind.
Title spi: fsl: fix controller deregistration
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T18:04:04.259Z

Reserved: 2026-05-13T15:03:33.106Z

Link: CVE-2026-46226

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-28T10:16:38.227

Modified: 2026-06-10T19:04:39.457

Link: CVE-2026-46226

cve-icon Redhat

Severity :

Publid Date: 2026-05-28T00:00:00Z

Links: CVE-2026-46226 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T21:15:26Z

Weaknesses