{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31485", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.101Z", "datePublished": "2026-04-22T13:54:10.892Z", "dateUpdated": "2026-04-22T13:54:10.892Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-22T13:54:10.892Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: spi-fsl-lpspi: fix teardown order issue (UAF)\n\nThere is a teardown order issue in the driver. The SPI controller is\nregistered using devm_spi_register_controller(), which delays\nunregistration of the SPI controller until after the fsl_lpspi_remove()\nfunction returns.\n\nAs the fsl_lpspi_remove() function synchronously tears down the DMA\nchannels, a running SPI transfer triggers the following NULL pointer\ndereference due to use after free:\n\n| fsl_lpspi 42550000.spi: I/O Error in DMA RX\n| Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n[...]\n| Call trace:\n| fsl_lpspi_dma_transfer+0x260/0x340 [spi_fsl_lpspi]\n| fsl_lpspi_transfer_one+0x198/0x448 [spi_fsl_lpspi]\n| spi_transfer_one_message+0x49c/0x7c8\n| __spi_pump_transfer_message+0x120/0x420\n| __spi_sync+0x2c4/0x520\n| spi_sync+0x34/0x60\n| spidev_message+0x20c/0x378 [spidev]\n| spidev_ioctl+0x398/0x750 [spidev]\n[...]\n\nSwitch from devm_spi_register_controller() to spi_register_controller() in\nfsl_lpspi_probe() and add the corresponding spi_unregister_controller() in\nfsl_lpspi_remove()."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/spi/spi-fsl-lpspi.c"], "versions": [{"version": "5314987de5e5f5e38436ef4a69328bc472bbd63e", "lessThan": "fbe6f40caeebb0b1ea9dfedc259124c1d3cda7a6", "status": "affected", "versionType": "git"}, {"version": "5314987de5e5f5e38436ef4a69328bc472bbd63e", "lessThan": "ca4483f36ac1b62e69f8b182c5b8f059e0abecfb", "status": "affected", "versionType": "git"}, {"version": "5314987de5e5f5e38436ef4a69328bc472bbd63e", "lessThan": "e3fd54f8b0317fbccc103961ddd660f2a32dcf0b", "status": "affected", "versionType": "git"}, {"version": "5314987de5e5f5e38436ef4a69328bc472bbd63e", "lessThan": "adb25339b66112393fd6892ceff926765feb5b86", "status": "affected", "versionType": "git"}, {"version": "5314987de5e5f5e38436ef4a69328bc472bbd63e", "lessThan": "d5d01f24bc6fbde40b4e567ef9160194b61267bc", "status": "affected", "versionType": "git"}, {"version": "5314987de5e5f5e38436ef4a69328bc472bbd63e", "lessThan": "e89e2b97253c124d37bf88e96e5e8ce5c3aeeec3", "status": "affected", "versionType": "git"}, {"version": "5314987de5e5f5e38436ef4a69328bc472bbd63e", "lessThan": "15650dfbaeeb14bcaaf053b93cf631db8d465300", "status": "affected", "versionType": "git"}, {"version": "5314987de5e5f5e38436ef4a69328bc472bbd63e", "lessThan": "b341c1176f2e001b3adf0b47154fc31589f7410e", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/spi/spi-fsl-lpspi.c"], "versions": [{"version": "4.10", "status": "affected"}, {"version": "0", "lessThan": "4.10", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.253", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.168", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.131", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.80", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.21", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.11", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.10", "versionEndExcluding": "5.10.253"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.10", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.10", "versionEndExcluding": "6.1.168"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.10", "versionEndExcluding": "6.6.131"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.10", "versionEndExcluding": "6.12.80"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.10", "versionEndExcluding": "6.18.21"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.10", "versionEndExcluding": "6.19.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.10", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/fbe6f40caeebb0b1ea9dfedc259124c1d3cda7a6"}, {"url": "https://git.kernel.org/stable/c/ca4483f36ac1b62e69f8b182c5b8f059e0abecfb"}, {"url": "https://git.kernel.org/stable/c/e3fd54f8b0317fbccc103961ddd660f2a32dcf0b"}, {"url": "https://git.kernel.org/stable/c/adb25339b66112393fd6892ceff926765feb5b86"}, {"url": "https://git.kernel.org/stable/c/d5d01f24bc6fbde40b4e567ef9160194b61267bc"}, {"url": "https://git.kernel.org/stable/c/e89e2b97253c124d37bf88e96e5e8ce5c3aeeec3"}, {"url": "https://git.kernel.org/stable/c/15650dfbaeeb14bcaaf053b93cf631db8d465300"}, {"url": "https://git.kernel.org/stable/c/b341c1176f2e001b3adf0b47154fc31589f7410e"}], "title": "spi: spi-fsl-lpspi: fix teardown order issue (UAF)", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: spi-fsl-lpspi: fix teardown order issue (UAF)\n\nThere is a teardown order issue in the driver. The SPI controller is\nregistered using devm_spi_register_controller(), which delays\nunregistration of the SPI controller until after the fsl_lpspi_remove()\nfunction returns.\n\nAs the fsl_lpspi_remove() function synchronously tears down the DMA\nchannels, a running SPI transfer triggers the following NULL pointer\ndereference due to use after free:\n\n| fsl_lpspi 42550000.spi: I/O Error in DMA RX\n| Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n[...]\n| Call trace:\n| fsl_lpspi_dma_transfer+0x260/0x340 [spi_fsl_lpspi]\n| fsl_lpspi_transfer_one+0x198/0x448 [spi_fsl_lpspi]\n| spi_transfer_one_message+0x49c/0x7c8\n| __spi_pump_transfer_message+0x120/0x420\n| __spi_sync+0x2c4/0x520\n| spi_sync+0x34/0x60\n| spidev_message+0x20c/0x378 [spidev]\n| spidev_ioctl+0x398/0x750 [spidev]\n[...]\n\nSwitch from devm_spi_register_controller() to spi_register_controller() in\nfsl_lpspi_probe() and add the corresponding spi_unregister_controller() in\nfsl_lpspi_remove()."}], "id": "CVE-2026-31485", "lastModified": "2026-04-23T16:17:41.280", "metrics": {}, "published": "2026-04-22T14:16:45.923", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/15650dfbaeeb14bcaaf053b93cf631db8d465300"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/adb25339b66112393fd6892ceff926765feb5b86"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/b341c1176f2e001b3adf0b47154fc31589f7410e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ca4483f36ac1b62e69f8b182c5b8f059e0abecfb"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/d5d01f24bc6fbde40b4e567ef9160194b61267bc"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e3fd54f8b0317fbccc103961ddd660f2a32dcf0b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e89e2b97253c124d37bf88e96e5e8ce5c3aeeec3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/fbe6f40caeebb0b1ea9dfedc259124c1d3cda7a6"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: spi: spi-fsl-lpspi: fix teardown order issue (UAF)", "id": "2460648", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460648"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-825", "details": ["A flaw was found in the `spi-fsl-lpspi` driver within the Linux kernel. This vulnerability, identified as a Use-After-Free (UAF) issue, stems from a teardown order problem during the unregistration of the Serial Peripheral Interface (SPI) controller. When a running SPI transfer attempts to access deallocated memory during the synchronous teardown of Direct Memory Access (DMA) channels, it can lead to a NULL pointer dereference. This ultimately causes the system to crash, resulting in a Denial of Service (DoS)."], "name": "CVE-2026-31485", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-22T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31485\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31485\nhttps://lore.kernel.org/linux-cve-announce/2026042259-CVE-2026-31485-e15c@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[5314987de5e5f5e38436ef4a69328bc472bbd63e,fbe6f40caeebb0b1ea9dfedc259124c1d3cda7a6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[5314987de5e5f5e38436ef4a69328bc472bbd63e,ca4483f36ac1b62e69f8b182c5b8f059e0abecfb)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[5314987de5e5f5e38436ef4a69328bc472bbd63e,e3fd54f8b0317fbccc103961ddd660f2a32dcf0b)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[5314987de5e5f5e38436ef4a69328bc472bbd63e,adb25339b66112393fd6892ceff926765feb5b86)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[5314987de5e5f5e38436ef4a69328bc472bbd63e,d5d01f24bc6fbde40b4e567ef9160194b61267bc)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[5314987de5e5f5e38436ef4a69328bc472bbd63e,e89e2b97253c124d37bf88e96e5e8ce5c3aeeec3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[5314987de5e5f5e38436ef4a69328bc472bbd63e,15650dfbaeeb14bcaaf053b93cf631db8d465300)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[5314987de5e5f5e38436ef4a69328bc472bbd63e,b341c1176f2e001b3adf0b47154fc31589f7410e)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[4.10,4.10]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,4.10)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[5.10.253,5.10.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[5.15.203,5.15.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.1.168,6.1.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.6.131,6.6.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.12.80,6.12.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.18.21,6.18.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.19.11,6.19.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-22T18:51:17.237234+00:00", "value": {"mitigation_remediation": ["Apply the vendor\u2011provided patch or upgrade to a kernel version that replaces devm_spi_register_controller with spi_register_controller and adds spi_unregister_controller during removal.", "Temporarily restrict spidev device access or stop services that issue SPI transfers while performing the driver removal, ensuring no transactions are in progress.", "Reboot the system following the update or restriction to fully reload the driver and verify that no NULL pointer dereference messages appear in kernel logs."], "summary": {"action": "Immediate Patch", "impact": "Kernel Crash (Denial of Service)"}, "threat_synthesis": {"affected_systems": "All Linux kernel distributions that include the Freescale/NXP LPSPI (low\u2011power serial peripheral interface) SPI driver are affected. The vulnerability is present wherever the spi-fsl-lpspi module is loaded, regardless of kernel release, because no specific version is listed. Users of embedded devices, routers, or virtualization guests that rely on this driver are subject to the risk.", "description_and_impact": "The spi-fsl-lpspi driver in the Linux kernel contains a teardown order bug that causes a use\u2011after\u2011free of the DMA channel structures while a SPI transfer is in progress. When the driver\u2019s remove function tears down the DMA channels synchronously, the controller register remains freed, and a continued SPI transfer dereferences a null pointer. The resulting NULL pointer dereference triggers a kernel panic, leading to a system crash. This flaw could enable a local attacker that can drive the SPI controller to cause loss of availability or, if the crash can be fully controlled, potentially to elevate privileges or execute code in kernel space.", "risk_and_exploitability": "The CVSS score is not supplied, and the EPSS score is unavailable, so the precise quantitative risk is unknown. However, the flaw is an unchecked use\u2011after\u2011free that can be triggered by performing a SPI transfer while the driver is being removed, which is an action a local user with access to the device node or a privileged process can conceivably perform. The lack of a public KEV listing suggests that known exploits are not yet documented. In the absence of a high EPSS score, the primary threat is a potential local denial of service with a risk of privilege escalation if the kernel crash can be manipulated for code execution. The attack vector is inferred to be local, requiring the ability to initiate or control SPI transfers during driver unregistration."}}}}, "created": "2026-04-22T18:30:23.554718+00:00", "updated": "2026-04-22T19:00:08.091055+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"], "weaknesses": ["CWE-416"]}