CVE-2026-45996 Linux CVE debrief

Who should care

Organizations running Linux systems with i.MX SPI controllers, particularly embedded systems, industrial control systems, and IoT devices using NXP i.MX processors with SPI interfaces. System administrators maintaining kernel versions that include the SPI i.MX driver should prioritize updates.

Technical summary

The SPI i.MX driver in the Linux kernel contains a use-after-free vulnerability triggered during device unbind. The SPI subsystem frees controller and driver data during deregistration, but the driver may still access this data. The fix implements additional reference counting to extend the lifetime of driver data until the driver completes its unbind operations.

Defensive priority

medium

Recommended defensive actions

• Apply kernel updates containing the referenced stable commits to affected systems
• Verify running kernel version against patched versions in stable branches
• Monitor for kernel updates from distribution vendors incorporating these fixes
• Review systems using i.MX SPI controllers for potential exposure
• Plan maintenance windows for kernel updates on affected embedded or industrial systems

Evidence notes

The vulnerability description indicates a use-after-free condition in the SPI i.MX driver during unbind operations. The fix involves proper reference counting to prevent premature freeing of driver data. Multiple stable kernel commits are referenced, indicating backports to supported kernel versions.

Official resources