PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-23475 Linux CVE debrief

CVE-2026-23475 is a Linux kernel SPI subsystem vulnerability that can trigger a NULL-pointer dereference when sysfs statistics are accessed before per-controller statistics are allocated. NVD rates the issue as medium severity, with local low-privilege access leading to high availability impact. The published fix moves statistics allocation earlier in controller setup and ties its lifetime to the controller, closing the registration window that allowed the crash.

Vendor
Linux
Product
Unknown
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-03
Original CVE updated
2026-05-20
Advisory published
2026-04-03
Advisory updated
2026-05-20

Who should care

Linux kernel maintainers, distribution security teams, and operators running systems that expose SPI controller sysfs attributes should pay attention, especially where local users or sandboxed workloads may interact with the affected kernel.

Technical summary

According to the CVE description, the SPI controller per-CPU statistics were not allocated until after the controller had been registered with the driver core. That sequence left a window in which sysfs attribute access could dereference a NULL statistics pointer. The fix allocates statistics during controller allocation and ties cleanup to the controller lifecycle instead of relying on implicit devres behavior. NVD maps the weakness to CWE-476 and lists CVSS v3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating a local, low-privilege denial-of-service condition.

Defensive priority

Moderate. This is a local availability issue rather than a remote code execution flaw, but it can still be disruptive on systems where untrusted local users or workloads exist. Patch priority should be high for kernels in the affected ranges listed by NVD and for products that expose the SPI sysfs interface.

Recommended defensive actions

  • Apply the kernel fix referenced by the official stable patches and update to a release that includes the remediation.
  • Prioritize upgrading Linux kernel versions in the affected NVD ranges: 6.0 before 6.1.167, 6.2 before 6.6.130, 6.7 before 6.12.78, 6.13 before 6.18.20, 6.19 before 6.19.10, and the listed 7.0 release candidates.
  • Review systems where local users or containerized workloads may be able to access SPI-related sysfs attributes.
  • After patching, verify that the SPI controller statistics allocation occurs during controller setup and that controller teardown cleans it up with the controller lifecycle.
  • Track vendor backports if you rely on distribution kernels rather than upstream releases.

Evidence notes

The CVE record and NVD detail page identify the issue as analyzed, assign CWE-476, and provide the CVSS vector and affected version criteria. The kernel.org stable references are official patch links associated with the remediation. No exploit details are included here, and no facts beyond the supplied corpus and official links were used.

Official resources

Publicly disclosed on 2026-04-03T16:16:35.440Z, with a later NVD modification on 2026-05-20T15:14:29.237Z.