Description
In the Linux kernel, the following vulnerability has been resolved:

spi: mpc52xx: fix use-after-free on registration failure

Make sure to disable and free the interrupts in case controller
registration fails to avoid a potential use-after-free and resource
leak.

This issue was flagged by Sashiko when reviewing a controller
deregistration fix.
Published: 2026-05-28
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises when the SPI mpc52xx controller fails to register; interrupts are disabled but not freed, leading to a use-after-free and a resource leak that could corrupt kernel memory or crash the system. Based on the nature of the use-after-free, it is inferred that an attacker able to trigger device registration could potentially read or write arbitrary kernel memory, raising the risk of privilege escalation or denial of service.

Affected Systems

Linux kernel implementations that include the mpc52xx SPI controller driver are affected until the fix is applied. No specific kernel versions are listed in the CNA data, so any system using a version that has not been patched may be vulnerable.

Risk and Exploitability

The EPSS score is below 1% and the CVSS score is 7.8. The flaw is not listed in the CISA KEV catalog. Based on the description, exploitation appears to require local access that can trigger device registration could potentially read or write arbitrary kernel memory, raising the risk of privilege escalation or denial of service.

Generated by OpenCVE AI on June 10, 2026 at 22:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update your Linux kernel to the latest release that contains the mpc52xx driver fix or backport the commit that disables and frees interrupts on registration failure.
  • Reboot the system or reload the spi mpc52xx module after applying the update to ensure the changes take effect.
  • (Optional) Restrict kernel module loading to trusted administrative users to reduce the chance of an attacker triggering registration failures.

Generated by OpenCVE AI on June 10, 2026 at 22:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 29 May 2026 04:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Fri, 29 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References

Thu, 28 May 2026 13:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Thu, 28 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: spi: mpc52xx: fix use-after-free on registration failure Make sure to disable and free the interrupts in case controller registration fails to avoid a potential use-after-free and resource leak. This issue was flagged by Sashiko when reviewing a controller deregistration fix.
Title spi: mpc52xx: fix use-after-free on registration failure
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T18:05:11.651Z

Reserved: 2026-05-13T15:03:33.107Z

Link: CVE-2026-46241

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-28T10:16:39.710

Modified: 2026-06-10T21:01:29.747

Link: CVE-2026-46241

cve-icon Redhat

Severity :

Publid Date: 2026-05-28T00:00:00Z

Links: CVE-2026-46241 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T22:45:27Z

Weaknesses