PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43460 Linux CVE debrief

CVE-2026-43460 is a Linux kernel double-free issue in the Rockchip SFC SPI controller driver. The problem comes from calling spi_unregister_controller() in remove() after registration was already handled by devm_spi_register_controller(), which can trigger a second free during device removal. The referenced fix changes probe() to use spi_register_controller() so controller teardown happens in the intended order before DMA buffer unmapping.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-08
Original CVE updated
2026-05-20
Advisory published
2026-05-08
Advisory updated
2026-05-20

Who should care

Kernel maintainers, Linux distribution security teams, and operators of embedded/ARM systems that include the Rockchip SFC SPI flash controller should care most. NVD rates the issue as HIGH (CVSS 7.8) with local, low-privilege conditions, so systems that expose the affected kernel path should be prioritized for patching.

Technical summary

NVD classifies the weakness as CWE-415 (double free) and marks the vulnerability as analyzed. The supplied description states that the driver used devm_spi_register_controller() for registration, which performs automatic cleanup on device removal, while remove() also called spi_unregister_controller(); that overlap can lead to a double-free. The fix is to switch probe() to spi_register_controller() so the controller is unregistered explicitly and before DMA buffer unmapping. NVD lists affected Linux kernel ranges including 6.14 through before 6.18.19, 6.19 through before 6.19.9, and the early 7.0 release candidates rc1 through rc3.

Defensive priority

High. This is a kernel memory-safety issue with potential integrity and availability impact, and NVD’s CVSS vector indicates local access with low privileges is sufficient. Patch affected kernels and backport the upstream fix on any downstream branch that carries the Rockchip SFC driver.

Recommended defensive actions

  • Apply the upstream Linux kernel fix referenced by NVD for CVE-2026-43460.
  • If you maintain downstream kernels, backport the change that replaces devm_spi_register_controller() with spi_register_controller() in the Rockchip SFC driver.
  • Remove any redundant controller teardown path that could double-unregister the SPI controller during device removal.
  • Inventory systems using the Rockchip SFC SPI controller and confirm whether they run kernels in the affected version ranges listed by NVD.
  • After patching, validate that the affected driver path is present only in fixed builds and that your kernel package versions are updated across all fleets.

Evidence notes

The debrief is based only on the supplied CVE description and the official NVD record. NVD lists the weakness as CWE-415 and provides the CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The record also includes three kernel patch references, and the supplied description explicitly explains the double-free mechanism and the registration/unregistration fix. Affected version ranges are taken from the NVD CPE criteria in the source item.

Official resources

The supplied CVE record was published on 2026-05-08 and last modified on 2026-05-20. Those dates are used here as the issue publication and update context; PatchSiren generation or review timing is not treated as the CVE date.