{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-23207","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-01-13T15:37:45.986Z","datePublished":"2026-02-14T16:27:29.762Z","dateUpdated":"2026-05-11T22:02:23.639Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T22:02:23.639Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nspi: tegra210-quad: Protect curr_xfer check in IRQ handler\n\nNow that all other accesses to curr_xfer are done under the lock,\nprotect the curr_xfer NULL check in tegra_qspi_isr_thread() with the\nspinlock. Without this protection, the following race can occur:\n\n  CPU0 (ISR thread)              CPU1 (timeout path)\n  ----------------               -------------------\n  if (!tqspi->curr_xfer)\n    // sees non-NULL\n                                 spin_lock()\n                                 tqspi->curr_xfer = NULL\n                                 spin_unlock()\n  handle_*_xfer()\n    spin_lock()\n    t = tqspi->curr_xfer  // NULL!\n    ... t->len ...        // NULL dereference!\n\nWith this patch, all curr_xfer accesses are now properly synchronized.\n\nAlthough all accesses to curr_xfer are done under the lock, in\ntegra_qspi_isr_thread() it checks for NULL, releases the lock and\nreacquires it later in handle_cpu_based_xfer()/handle_dma_based_xfer().\nThere is a potential for an update in between, which could cause a NULL\npointer dereference.\n\nTo handle this, add a NULL check inside the handlers after acquiring\nthe lock. This ensures that if the timeout path has already cleared\ncurr_xfer, the handler will safely return without dereferencing the\nNULL pointer."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/spi/spi-tegra210-quad.c"],"versions":[{"version":"551060efb156c50fe33799038ba8145418cfdeef","lessThan":"84e926c1c272a35ddb9b86842d32fa833a60dfc7","status":"affected","versionType":"git"},{"version":"01bbf25c767219b14c3235bfa85906b8d2cb8fbc","lessThan":"2ac3a105e51496147c0e44e49466eecfcc532d57","status":"affected","versionType":"git"},{"version":"b4e002d8a7cee3b1d70efad0e222567f92a73000","lessThan":"edf9088b6e1d6d88982db7eb5e736a0e4fbcc09e","status":"affected","versionType":"git"},{"version":"88db8bb7ed1bb474618acdf05ebd4f0758d244e2","status":"affected","versionType":"git"},{"version":"83309dd551cfd60a5a1a98d9cab19f435b44d46d","status":"affected","versionType":"git"},{"version":"c934e40246da2c5726d14e94719c514e30840df8","status":"affected","versionType":"git"},{"version":"bb0c58be84f907285af45657c1d4847b960a12bf","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/spi/spi-tegra210-quad.c"],"versions":[{"version":"6.12.63","lessThan":"6.12.80","status":"affected","versionType":"semver"},{"version":"6.18.2","lessThan":"6.18.10","status":"affected","versionType":"semver"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12.63","versionEndExcluding":"6.12.80"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.18.2","versionEndExcluding":"6.18.10"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15.198"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1.160"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6.120"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.17.13"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/84e926c1c272a35ddb9b86842d32fa833a60dfc7"},{"url":"https://git.kernel.org/stable/c/2ac3a105e51496147c0e44e49466eecfcc532d57"},{"url":"https://git.kernel.org/stable/c/edf9088b6e1d6d88982db7eb5e736a0e4fbcc09e"}],"title":"spi: tegra210-quad: Protect curr_xfer check in IRQ handler","x_generator":{"engine":"bippy-1.2.0"}}}}