{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-31485","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-03-09T15:48:24.101Z","datePublished":"2026-04-22T13:54:10.892Z","dateUpdated":"2026-05-11T22:09:38.585Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T22:09:38.585Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nspi: spi-fsl-lpspi: fix teardown order issue (UAF)\n\nThere is a teardown order issue in the driver. The SPI controller is\nregistered using devm_spi_register_controller(), which delays\nunregistration of the SPI controller until after the fsl_lpspi_remove()\nfunction returns.\n\nAs the fsl_lpspi_remove() function synchronously tears down the DMA\nchannels, a running SPI transfer triggers the following NULL pointer\ndereference due to use after free:\n\n| fsl_lpspi 42550000.spi: I/O Error in DMA RX\n| Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n[...]\n| Call trace:\n|  fsl_lpspi_dma_transfer+0x260/0x340 [spi_fsl_lpspi]\n|  fsl_lpspi_transfer_one+0x198/0x448 [spi_fsl_lpspi]\n|  spi_transfer_one_message+0x49c/0x7c8\n|  __spi_pump_transfer_message+0x120/0x420\n|  __spi_sync+0x2c4/0x520\n|  spi_sync+0x34/0x60\n|  spidev_message+0x20c/0x378 [spidev]\n|  spidev_ioctl+0x398/0x750 [spidev]\n[...]\n\nSwitch from devm_spi_register_controller() to spi_register_controller() in\nfsl_lpspi_probe() and add the corresponding spi_unregister_controller() in\nfsl_lpspi_remove()."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/spi/spi-fsl-lpspi.c"],"versions":[{"version":"5314987de5e5f5e38436ef4a69328bc472bbd63e","lessThan":"fbe6f40caeebb0b1ea9dfedc259124c1d3cda7a6","status":"affected","versionType":"git"},{"version":"5314987de5e5f5e38436ef4a69328bc472bbd63e","lessThan":"ca4483f36ac1b62e69f8b182c5b8f059e0abecfb","status":"affected","versionType":"git"},{"version":"5314987de5e5f5e38436ef4a69328bc472bbd63e","lessThan":"e3fd54f8b0317fbccc103961ddd660f2a32dcf0b","status":"affected","versionType":"git"},{"version":"5314987de5e5f5e38436ef4a69328bc472bbd63e","lessThan":"adb25339b66112393fd6892ceff926765feb5b86","status":"affected","versionType":"git"},{"version":"5314987de5e5f5e38436ef4a69328bc472bbd63e","lessThan":"d5d01f24bc6fbde40b4e567ef9160194b61267bc","status":"affected","versionType":"git"},{"version":"5314987de5e5f5e38436ef4a69328bc472bbd63e","lessThan":"e89e2b97253c124d37bf88e96e5e8ce5c3aeeec3","status":"affected","versionType":"git"},{"version":"5314987de5e5f5e38436ef4a69328bc472bbd63e","lessThan":"15650dfbaeeb14bcaaf053b93cf631db8d465300","status":"affected","versionType":"git"},{"version":"5314987de5e5f5e38436ef4a69328bc472bbd63e","lessThan":"b341c1176f2e001b3adf0b47154fc31589f7410e","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/spi/spi-fsl-lpspi.c"],"versions":[{"version":"4.10","status":"affected"},{"version":"0","lessThan":"4.10","status":"unaffected","versionType":"semver"},{"version":"5.10.253","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.203","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.168","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.131","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.80","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.21","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19.11","lessThanOrEqual":"6.19.*","status":"unaffected","versionType":"semver"},{"version":"7.0","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.10","versionEndExcluding":"5.10.253"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.10","versionEndExcluding":"5.15.203"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.10","versionEndExcluding":"6.1.168"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.10","versionEndExcluding":"6.6.131"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.10","versionEndExcluding":"6.12.80"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.10","versionEndExcluding":"6.18.21"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.10","versionEndExcluding":"6.19.11"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.10","versionEndExcluding":"7.0"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/fbe6f40caeebb0b1ea9dfedc259124c1d3cda7a6"},{"url":"https://git.kernel.org/stable/c/ca4483f36ac1b62e69f8b182c5b8f059e0abecfb"},{"url":"https://git.kernel.org/stable/c/e3fd54f8b0317fbccc103961ddd660f2a32dcf0b"},{"url":"https://git.kernel.org/stable/c/adb25339b66112393fd6892ceff926765feb5b86"},{"url":"https://git.kernel.org/stable/c/d5d01f24bc6fbde40b4e567ef9160194b61267bc"},{"url":"https://git.kernel.org/stable/c/e89e2b97253c124d37bf88e96e5e8ce5c3aeeec3"},{"url":"https://git.kernel.org/stable/c/15650dfbaeeb14bcaaf053b93cf631db8d465300"},{"url":"https://git.kernel.org/stable/c/b341c1176f2e001b3adf0b47154fc31589f7410e"}],"title":"spi: spi-fsl-lpspi: fix teardown order issue (UAF)","x_generator":{"engine":"bippy-1.2.0"}}}}