VDB

DEBIAN-CVE-2026-23207

DEBIAN-CVE-2026-23207 PUBLISHED CVSS 4.699999809265137 MEDIUM

In the Linux kernel, the following vulnerability has been resolved: spi: tegra210-quad: Protect curr_xfer check in IRQ handler Now that all other accesses to curr_xfer are done under the lock, protect the curr_xfer NULL check in tegra_qspi_isr_thread() with the spinlock. Without this protection, the following race can occur: CPU0 (ISR thread) CPU1 (timeout path) ---------------- ------------------- if (!tqspi->curr_xfer) // sees non-NULL spin_lock() tqspi->curr_xfer = NULL spin_unlock() handle_*_xfer() spin_lock() t = tqspi->curr_xfer // NULL! ... t->len ... // NULL dereference! With this patch, all curr_xfer accesses are now properly synchronized. Although all accesses to curr_xfer are done under the lock, in tegra_qspi_isr_thread() it checks for NULL, releases the lock and reacquires it later in handle_cpu_based_xfer()/handle_dma_based_xfer(). There is a potential for an update in between, which could cause a NULL pointer dereference. To handle this, add a NULL check inside the handlers after acquiring the lock. This ensures that if the timeout path has already cleared curr_xfer, the handler will safely return without dereferencing the NULL pointer.

Risk Scores

CVSS 3.1
4.699999809265137
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Affected Products

VendorProductVersions
Debian:13linux0, 6.12.63-1, 6.12.73-1
Debian:12linux6.4.4-3, 6.13.5-1, 6.13.6-1
Debian:14linux6.16.1-1~exp1, 6.16.10-1, 6.16.11-1

Timeline

  • Feb 14, 2026 CVE Published
  • Apr 30, 2026 CVE Updated
Open in Interactive Console →
$ Console Community · 100/wk Open console ›