VDB

CVE-2026-23475

CVE-2026-23475 PUBLISHED

Reported by Linux · Published April 3, 2026

In the Linux kernel, the following vulnerability has been resolved: spi: fix statistics allocation The controller per-cpu statistics is not allocated until after the controller has been registered with driver core, which leaves a window where accessing the sysfs attributes can trigger a NULL-pointer dereference. Fix this by moving the statistics allocation to controller allocation while tying its lifetime to that of the controller (rather than using implicit devres).

Affected Products

VendorProductVersions
LinuxLinux6598b91b5ac32bc756d7c3000a31f775d4ead1c4, 6598b91b5ac32bc756d7c3000a31f775d4ead1c4, 6598b91b5ac32bc756d7c3000a31f775d4ead1c4
LinuxLinux6.0, 0, 6.1.167
linuxlinux_kernel6.0, 6.0, 6.0
LinuxLinux6598b91b5ac32bc756d7c3000a31f775d4ead1c4, 6598b91b5ac32bc756d7c3000a31f775d4ead1c4, 6598b91b5ac32bc756d7c3000a31f775d4ead1c4

Timeline

  • Apr 3, 2026 CVE Published
  • Apr 7, 2026 CVE Updated

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›