PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-31489 Linux CVE debrief

CVE-2026-31489 is a Linux kernel vulnerability in the spi: meson-spicc driver’s teardown path. According to the published description, meson_spicc_probe() registers the controller with devm_spi_register_controller(), so device-managed cleanup already drops the controller reference. A second spi_controller_put() in meson_spicc_remove() creates a double-put condition, which is the basis for the CWE-415 classification. NVD rates the issue HIGH with a local attack vector and low privileges required, so this is primarily a defensive concern for systems running affected kernel builds, especially where the meson-spicc driver is present.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-22
Original CVE updated
2026-05-17
Advisory published
2026-04-22
Advisory updated
2026-05-17

Who should care

Kernel maintainers, Linux distribution security teams, and operators of systems that may use the meson-spicc SPI controller driver should care most. Security teams should also review any fleet running affected Linux kernel branches listed by NVD, since the vulnerable ranges span multiple long-term and mainline release lines.

Technical summary

The issue is a reference-management mistake in driver removal logic. meson_spicc_probe() uses devm_spi_register_controller(), which means the controller reference is handled by device-managed cleanup. meson_spicc_remove() then calls spi_controller_put() again, causing an extra decrement of the controller reference count. NVD maps the weakness to CWE-415 and assigns CVSS v3.1 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Defensive priority

High. The vulnerability is locally exploitable, requires low privileges, and is assigned a high CVSS score. Systems with the meson-spicc driver in affected kernel versions should be prioritized for patching or backport verification.

Recommended defensive actions

  • Confirm whether affected systems run a vulnerable Linux kernel branch and whether the meson-spicc driver is present or enabled.
  • Upgrade to a kernel release that includes the fix referenced by the official kernel patches.
  • If you maintain downstream kernels, verify that the double-put removal is backported correctly into your vendor or distro tree.
  • Use the NVD version ranges to validate exposure across 4.14, 4.19, 5.4, 5.10, 5.13, 5.14, 6.13, and 6.19 lines.
  • Track systems that cannot be upgraded immediately and schedule kernel maintenance as a high-priority change.
  • Recheck kernel changelogs or package advisories for the exact fixed build supplied by your distribution.

Evidence notes

All statements here are based on the supplied NVD record and the linked official kernel references. The NVD description explicitly says meson_spicc_probe() already relies on devm_spi_register_controller() and that an extra spi_controller_put() in meson_spicc_remove() causes a double-put. The NVD record also supplies the CVSS vector, CWE-415 mapping, published date of 2026-04-22T14:16:46.603Z, modified date of 2026-05-17T16:16:15.687Z, and the affected Linux kernel version ranges. No exploit steps or unsupported impact claims are included.

Official resources

Publicly disclosed in the NVD record on 2026-04-22T14:16:46.603Z and modified on 2026-05-17T16:16:15.687Z with official kernel references and affected version ranges.