CVE-2026-31485
Description
In the Linux kernel, the following vulnerability has been resolved: spi: spi-fsl-lpspi: fix teardown order issue (UAF) There is a teardown order issue in the driver. The SPI controller is registered using devm_spi_register_controller(), which delays unregistration of the SPI controller until after the fsl_lpspi_remove() function returns. As the fsl_lpspi_remove() function synchronously tears down the DMA channels, a running SPI transfer triggers the following NULL pointer dereference due to use after free: | fsl_lpspi 42550000.spi: I/O Error in DMA RX | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [...] | Call trace: | fsl_lpspi_dma_transfer+0x260/0x340 [spi_fsl_lpspi] | fsl_lpspi_transfer_one+0x198/0x448 [spi_fsl_lpspi] | spi_transfer_one_message+0x49c/0x7c8 | __spi_pump_transfer_message+0x120/0x420 | __spi_sync+0x2c4/0x520 | spi_sync+0x34/0x60 | spidev_message+0x20c/0x378 [spidev] | spidev_ioctl+0x398/0x750 [spidev] [...] Switch from devm_spi_register_controller() to spi_register_controller() in fsl_lpspi_probe() and add the corresponding spi_unregister_controller() in fsl_lpspi_remove().
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| sles | affected | | |
| debian | bookworm | fixed | 6.1.170-1 |
| debian | forky | fixed | 6.19.11-1 |
| debian | sid | fixed | 6.19.11-1 |
| debian | trixie | fixed | 6.12.85-1 |
| debian | bullseye | fixed | 6.1.170-1~deb11u1 |
| linux-kernel | affected | 5.10.253 | |
| linux-kernel | 4.10 | affected | |
| linux-kernel | 7.0 | affected | |
References
- https://git.kernel.org/stable/c/15650dfbaeeb14bcaaf053b93cf631db8d465300
- https://git.kernel.org/stable/c/adb25339b66112393fd6892ceff926765feb5b86
- https://git.kernel.org/stable/c/b341c1176f2e001b3adf0b47154fc31589f7410e
- https://git.kernel.org/stable/c/ca4483f36ac1b62e69f8b182c5b8f059e0abecfb
- https://git.kernel.org/stable/c/d5d01f24bc6fbde40b4e567ef9160194b61267bc
- https://git.kernel.org/stable/c/e3fd54f8b0317fbccc103961ddd660f2a32dcf0b
- https://git.kernel.org/stable/c/e89e2b97253c124d37bf88e96e5e8ce5c3aeeec3
- https://git.kernel.org/stable/c/fbe6f40caeebb0b1ea9dfedc259124c1d3cda7a6
- https://www.suse.com/security/cve/CVE-2026-31485.html
- https://security-tracker.debian.org/tracker/CVE-2026-31485
CWEs
CWE-416
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.