PatchSiren cyber security CVE debrief
CVE-2026-31485 Linux CVE debrief
A use-after-free vulnerability was found in the Linux kernel's spi_fsl_lpspi driver. The vulnerability occurs due to a teardown order issue, where the SPI controller is unregistered after the fsl_lpspi_remove function returns, leading to a NULL pointer dereference when a running SPI transfer triggers a DMA RX error. This issue affects users of the Linux kernel, particularly those using the spi_fsl_lpspi driver. An attacker can trigger the vulnerability by causing a running SPI transfer to trigger a DMA RX error, resulting in a NULL pointer dereference. The vulnerability has a high defensive priority and requires immediate attention.
- Vendor
- Linux
- Product
- Unknown
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-22
- Original CVE updated
- 2026-07-14
- Advisory published
- 2026-04-22
- Advisory updated
- 2026-07-14
Who should care
Users of the Linux kernel, particularly those using the spi_fsl_lpspi driver, should be aware of this vulnerability and take steps to mitigate it. This includes reviewing the Linux kernel source code and patch notes for CVE-2026-31485, confirming that the fix has been applied to affected systems, and monitoring for any potential exploitation attempts. Operators, platform administrators, vulnerability management teams, and security teams should all be aware of this vulnerability and take necessary actions to protect their systems.
Technical summary
The vulnerability is caused by a teardown order issue in the spi_fsl_lpspi driver. The SPI controller is registered using devm_spi_register_controller, which delays unregistration until after the fsl_lpspi_remove function returns. However, the fsl_lpspi_remove function synchronously tears down the DMA channels, leading to a use-after-free vulnerability. An attacker can trigger the vulnerability by causing a running SPI transfer to trigger a DMA RX error, resulting in a NULL pointer dereference. The fix involves switching from devm_spi_register_controller to spi_register_controller in fsl_lpspi_probe and adding the corresponding spi_unregister_controller in fsl_lpspi_remove.
Defensive priority
High
Recommended defensive actions
- Apply the patches provided by the Linux kernel maintainers to fix the vulnerability.
- Use a supported version of the Linux kernel that has the fix applied.
- Monitor for and apply any additional patches or updates provided by the Linux kernel maintainers.
- Review compensating controls for exposed systems while remediation is scheduled and verified.
- Check relevant monitoring, detection, and logs for exposed assets that need extra review.
- Track exceptions, retest remediated assets, and close the item only after evidence is documented.
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
Evidence notes
The vulnerability was resolved by switching from devm_spi_register_controller to spi_register_controller in fsl_lpspi_probe and adding the corresponding spi_unregister_controller in fsl_lpspi_remove. This change ensures that the SPI controller is properly unregistered before the DMA channels are torn down, preventing the use-after-free vulnerability. To verify, defenders should review the Linux kernel source code and patch notes for CVE-2026-31485, and confirm that the fix has been applied to affected systems.
Official resources
-
CVE-2026-31485 CVE record
CVE.org
-
CVE-2026-31485 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
-
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
-
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
-
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
-
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
-
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
-
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-04-22T14:16:45.923Z and has not been modified since then.