VDB

DEBIAN-CVE-2026-23475

DEBIAN-CVE-2026-23475 PUBLISHED

In the Linux kernel, the following vulnerability has been resolved: spi: fix statistics allocation The controller per-cpu statistics is not allocated until after the controller has been registered with driver core, which leaves a window where accessing the sysfs attributes can trigger a NULL-pointer dereference. Fix this by moving the statistics allocation to controller allocation while tying its lifetime to that of the controller (rather than using implicit devres).

Affected Products

VendorProductVersions
Debian:13linux0, *, 6.12.85-1
Debian:12linux*, 6.12.63-1~bpo12+1, 6.12.69-1
Debian:11linux-6.16.1.148-1, 6.1.153-1, 6.1.158-1
Debian:14linux*, *, 6.12.74-2

Exploit Intelligence

Timeline

  • Apr 3, 2026 CVE Published
  • May 2, 2026 CVE Updated
Open in Interactive Console →
$ Console Community · 100/wk Open console ›