{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31389", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.084Z", "datePublished": "2026-04-03T15:15:55.068Z", "dateUpdated": "2026-04-03T15:15:55.068Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-03T15:15:55.068Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: fix use-after-free on controller registration failure\n\nMake sure to deregister from driver core also in the unlikely event that\nper-cpu statistics allocation fails during controller registration to\navoid use-after-free (of driver resources) and unclocked register\naccesses."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/spi/spi.c"], "versions": [{"version": "6598b91b5ac32bc756d7c3000a31f775d4ead1c4", "lessThan": "0e23f50086da7d0b183dfeac26021acfcdee086b", "status": "affected", "versionType": "git"}, {"version": "6598b91b5ac32bc756d7c3000a31f775d4ead1c4", "lessThan": "6bbd385b30c7fb6c7ee0669e9ada91490938c051", "status": "affected", "versionType": "git"}, {"version": "6598b91b5ac32bc756d7c3000a31f775d4ead1c4", "lessThan": "afe27c1f43aa57530011f419be6ddf71306565d2", "status": "affected", "versionType": "git"}, {"version": "6598b91b5ac32bc756d7c3000a31f775d4ead1c4", "lessThan": "80f3e8cd2b4ad355b2ad2024cf423f6d183404f7", "status": "affected", "versionType": "git"}, {"version": "6598b91b5ac32bc756d7c3000a31f775d4ead1c4", "lessThan": "23b51bad2eb8787aa74324cfccefb258515ae5ba", "status": "affected", "versionType": "git"}, {"version": "6598b91b5ac32bc756d7c3000a31f775d4ead1c4", "lessThan": "8634e05b08ead636e926022f4a98416e13440df9", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/spi/spi.c"], "versions": [{"version": "6.0", "status": "affected"}, {"version": "0", "lessThan": "6.0", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.78", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.20", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.10", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc5", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.12.78"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.18.20"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.19.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "7.0-rc5"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/0e23f50086da7d0b183dfeac26021acfcdee086b"}, {"url": "https://git.kernel.org/stable/c/6bbd385b30c7fb6c7ee0669e9ada91490938c051"}, {"url": "https://git.kernel.org/stable/c/afe27c1f43aa57530011f419be6ddf71306565d2"}, {"url": "https://git.kernel.org/stable/c/80f3e8cd2b4ad355b2ad2024cf423f6d183404f7"}, {"url": "https://git.kernel.org/stable/c/23b51bad2eb8787aa74324cfccefb258515ae5ba"}, {"url": "https://git.kernel.org/stable/c/8634e05b08ead636e926022f4a98416e13440df9"}], "title": "spi: fix use-after-free on controller registration failure", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: fix use-after-free on controller registration failure\n\nMake sure to deregister from driver core also in the unlikely event that\nper-cpu statistics allocation fails during controller registration to\navoid use-after-free (of driver resources) and unclocked register\naccesses."}], "id": "CVE-2026-31389", "lastModified": "2026-04-03T16:16:36.823", "metrics": {}, "published": "2026-04-03T16:16:36.823", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/0e23f50086da7d0b183dfeac26021acfcdee086b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/23b51bad2eb8787aa74324cfccefb258515ae5ba"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6bbd385b30c7fb6c7ee0669e9ada91490938c051"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/80f3e8cd2b4ad355b2ad2024cf423f6d183404f7"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/8634e05b08ead636e926022f4a98416e13440df9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/afe27c1f43aa57530011f419be6ddf71306565d2"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{"bugzilla": {"description": "kernel: spi: fix use-after-free on controller registration failure", "id": "2454859", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454859"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.7", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-825", "details": ["A flaw was found in the Linux kernel's Serial Peripheral Interface (SPI) subsystem. During controller registration, a use-after-free vulnerability can occur if the allocation of per-CPU statistics fails. This could allow a local attacker to cause system instability or a denial of service by accessing freed memory."], "name": "CVE-2026-31389", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31389\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31389\nhttps://lore.kernel.org/linux-cve-announce/2026040324-CVE-2026-31389-036b@gregkh/T"], "statement": "This vulnerability occurs only during an unlikely error path when per-CPU statistics allocation fails during SPI controller registration. Under normal system operation with adequate memory, this path is not exercised. The practical exploitability is very limited as it requires triggering a specific allocation failure during driver initialization.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[6598b91b5ac32bc756d7c3000a31f775d4ead1c4,0e23f50086da7d0b183dfeac26021acfcdee086b)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[6598b91b5ac32bc756d7c3000a31f775d4ead1c4,6bbd385b30c7fb6c7ee0669e9ada91490938c051)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[6598b91b5ac32bc756d7c3000a31f775d4ead1c4,afe27c1f43aa57530011f419be6ddf71306565d2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[6598b91b5ac32bc756d7c3000a31f775d4ead1c4,80f3e8cd2b4ad355b2ad2024cf423f6d183404f7)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[6598b91b5ac32bc756d7c3000a31f775d4ead1c4,23b51bad2eb8787aa74324cfccefb258515ae5ba)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[6598b91b5ac32bc756d7c3000a31f775d4ead1c4,8634e05b08ead636e926022f4a98416e13440df9)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.0"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,6.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.1.167,6.1.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.6.130,6.6.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.12.78,6.12.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.18.20,6.18.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.19.10,6.19.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc5,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-03T18:39:24.953820+00:00", "value": {"mitigation_remediation": ["Check the kernel version you are running and verify that it includes the commit that fixes the use\u2011after\u2011free in the SPI controller subsystem.", "Upgrade the kernel to a release that incorporates the patch, such as the latest stable or long\u2011term support branch from your distribution.", "After updating, reboot the system to ensure the new kernel image is in use.", "If your environment requires immediate protection and an update cannot be applied, monitor for any known exploits targeting this flaw and apply any vendor\u2011issued workarounds if available; otherwise, restrict local module loading privileges until an update is applied."], "summary": {"action": "Apply Patch", "impact": "Kernel memory corruption"}, "threat_synthesis": {"affected_systems": "All Linux kernel releases that contain the affected SPI controller code are impacted. The CNA lists the generic vendor product \u2018Linux:Linux\u2019 twice and no specific version range is provided, implying that the flaw exists across the default kernel branches at the time of the fix. Users should check the release notes for the kernel version they run to confirm whether the patch has been applied.", "description_and_impact": "A use\u2011after\u2011free condition was identified in the Linux kernel\u2019s SPI controller registration path. When per\u2011CPU statistics allocation fails during controller setup, the driver core deregistration was omitted, leaving driver resources dangling. If these resources are later accessed, the kernel may perform unclocked register operations on freed memory, resulting in memory corruption that can be leveraged to gain higher privileges or crash the system.", "risk_and_exploitability": "Use\u2011after\u2011free vulnerabilities in kernel code are traditionally high\u2011impact. Although the EPSS score is not available and the issue is not listed in CISA\u2019s KEV catalog, the nature of the flaw (freeing driver resources before completing registration) makes it exploitable by a local attacker with capabilities to load or manipulate SPI drivers. Successful exploitation could lead to arbitrary code execution with kernel privileges or a denial\u2011of\u2011service attack that destabilizes the system."}}}}, "created": "2026-04-03T21:13:22.992528+00:00", "updated": "2026-04-03T21:15:38.058860+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"], "weaknesses": ["CWE-416"]}