{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23475", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:46.022Z", "datePublished": "2026-04-03T15:15:54.211Z", "dateUpdated": "2026-04-03T15:15:54.211Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-03T15:15:54.211Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: fix statistics allocation\n\nThe controller per-cpu statistics is not allocated until after the\ncontroller has been registered with driver core, which leaves a window\nwhere accessing the sysfs attributes can trigger a NULL-pointer\ndereference.\n\nFix this by moving the statistics allocation to controller allocation\nwhile tying its lifetime to that of the controller (rather than using\nimplicit devres)."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/spi/spi.c"], "versions": [{"version": "6598b91b5ac32bc756d7c3000a31f775d4ead1c4", "lessThan": "80c5bd0dca1cc5526ae0f4b273ccd163ed4caa4e", "status": "affected", "versionType": "git"}, {"version": "6598b91b5ac32bc756d7c3000a31f775d4ead1c4", "lessThan": "f13100b1f5f111989f0750540a795fdef47492af", "status": "affected", "versionType": "git"}, {"version": "6598b91b5ac32bc756d7c3000a31f775d4ead1c4", "lessThan": "df30056c78e8bead02d4be020199cabdbec0fef1", "status": "affected", "versionType": "git"}, {"version": "6598b91b5ac32bc756d7c3000a31f775d4ead1c4", "lessThan": "378b295f67102eef78cf2c28105f60ae1dab5cc1", "status": "affected", "versionType": "git"}, {"version": "6598b91b5ac32bc756d7c3000a31f775d4ead1c4", "lessThan": "118ce777d39f03cac99231196f820e4f998613a8", "status": "affected", "versionType": "git"}, {"version": "6598b91b5ac32bc756d7c3000a31f775d4ead1c4", "lessThan": "dee0774bbb2abb172e9069ce5ffef579b12b3ae9", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/spi/spi.c"], "versions": [{"version": "6.0", "status": "affected"}, {"version": "0", "lessThan": "6.0", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.78", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.20", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.10", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc5", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.12.78"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.18.20"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.19.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "7.0-rc5"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/80c5bd0dca1cc5526ae0f4b273ccd163ed4caa4e"}, {"url": "https://git.kernel.org/stable/c/f13100b1f5f111989f0750540a795fdef47492af"}, {"url": "https://git.kernel.org/stable/c/df30056c78e8bead02d4be020199cabdbec0fef1"}, {"url": "https://git.kernel.org/stable/c/378b295f67102eef78cf2c28105f60ae1dab5cc1"}, {"url": "https://git.kernel.org/stable/c/118ce777d39f03cac99231196f820e4f998613a8"}, {"url": "https://git.kernel.org/stable/c/dee0774bbb2abb172e9069ce5ffef579b12b3ae9"}], "title": "spi: fix statistics allocation", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: fix statistics allocation\n\nThe controller per-cpu statistics is not allocated until after the\ncontroller has been registered with driver core, which leaves a window\nwhere accessing the sysfs attributes can trigger a NULL-pointer\ndereference.\n\nFix this by moving the statistics allocation to controller allocation\nwhile tying its lifetime to that of the controller (rather than using\nimplicit devres)."}], "id": "CVE-2026-23475", "lastModified": "2026-04-03T16:16:35.440", "metrics": {}, "published": "2026-04-03T16:16:35.440", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/118ce777d39f03cac99231196f820e4f998613a8"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/378b295f67102eef78cf2c28105f60ae1dab5cc1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/80c5bd0dca1cc5526ae0f4b273ccd163ed4caa4e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/dee0774bbb2abb172e9069ce5ffef579b12b3ae9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/df30056c78e8bead02d4be020199cabdbec0fef1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f13100b1f5f111989f0750540a795fdef47492af"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[6598b91b5ac32bc756d7c3000a31f775d4ead1c4,80c5bd0dca1cc5526ae0f4b273ccd163ed4caa4e)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[6598b91b5ac32bc756d7c3000a31f775d4ead1c4,f13100b1f5f111989f0750540a795fdef47492af)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[6598b91b5ac32bc756d7c3000a31f775d4ead1c4,df30056c78e8bead02d4be020199cabdbec0fef1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[6598b91b5ac32bc756d7c3000a31f775d4ead1c4,378b295f67102eef78cf2c28105f60ae1dab5cc1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[6598b91b5ac32bc756d7c3000a31f775d4ead1c4,118ce777d39f03cac99231196f820e4f998613a8)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[6598b91b5ac32bc756d7c3000a31f775d4ead1c4,dee0774bbb2abb172e9069ce5ffef579b12b3ae9)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "6.0"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,6.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.167,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.130,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.78,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.20,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.10,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc5,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-03T20:36:39.623942+00:00", "value": {"mitigation_remediation": ["Apply a kernel update that includes the commit allocating controller statistics during construction.", "If an update cannot be applied immediately, unbind or disable the affected SPI devices to remove sysfs exposure until the patch is available.", "Restrict read/write permissions on the SPI sysfs attributes to privileged users only to reduce the attack surface."], "summary": {"action": "Apply Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The flaw affects all Linux kernel versions that include the pre\u2011commit SPI driver code. Any system running a kernel build that has not incorporated the change that allocates statistics during controller construction is vulnerable. The affected product is the Linux kernel, specifically the SPI core.", "description_and_impact": "In the Linux kernel, the SPI subsystem contains a flaw where controller statistics are allocated only after the controller has been registered with driver core. Until that point, accessing sysfs attributes for the controller can dereference a NULL pointer, which triggers a kernel panic. This results in a denial of service by crashing the kernel.", "risk_and_exploitability": "The CVSS score is not provided, and the EPSS score is unavailable, indicating no publicly available data on exploitation potential. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector requires local access to the SPI sysfs attributes; an attacker would need to read or write these attributes before the controller is fully registered. Successful exploitation leads to a kernel panic and system reboot, but no public exploits are currently documented."}}}}, "created": "2026-04-03T21:13:23.982930+00:00", "title": "Linux Kernel SPI Controller Null Pointer Dereference via Sysfs Access", "updated": "2026-04-03T21:15:39.074233+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}