CVE-2026-46225: Linux RSPI Driver Denial of Service via Improper Resource Deregistration
A flaw has been found in how the Linux kernel's SPI (Serial Peripheral Interface) RSPI driver shuts down. When a system stops using the driver, it wasn't properly cleaning up in the right order—specifically, it was releasing DMA (direct memory access) resources before telling the SPI controller to stop. This ordering problem can cause the system to become unstable or crash.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- —
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: spi: rspi: fix controller deregistration Make sure to deregister the controller before releasing underlying resources like DMA during driver unbind.
5 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-46225 addresses a resource management issue in the Linux kernel's SPI RSPI driver (drivers/spi/spi-rspi.c). The vulnerability stems from improper sequencing during driver unbind: the driver was releasing DMA resources before deregistering the SPI controller. This violates the correct tear-down sequence and can lead to use-after-free or NULL pointer dereference conditions when the controller attempts to access DMA handles or operations after they have been freed. The fix ensures the controller is deregistered first, allowing it to complete any pending operations and cleanly disconnect from the SPI framework before underlying DMA resources are released.
Business impact
Systems running affected Linux kernel versions that use RSPI controllers face potential availability risk. Driver unload or system shutdown scenarios could trigger kernel panics or hangs, disrupting service availability. In environments relying on SPI-based hardware devices (industrial controllers, embedded systems, specialized automotive or IoT deployments), this flaw increases downtime risk during maintenance windows or unexpected unload scenarios. The impact is primarily operational stability rather than data confidentiality or integrity.
Affected systems
The vulnerability affects the Linux kernel across all versions that contain the vulnerable RSPI driver code. Any system using an RSPI-compatible SPI controller—including certain Renesas microcontroller platforms and boards with RSPI hardware—running an unpatched kernel is at risk during driver unbind or module removal operations.
Exploitability
This vulnerability requires local access to trigger (CVSS attack vector: Local). An unprivileged local user with the ability to unload kernel modules or trigger driver unbind operations can cause a denial of service. The flaw is not remotely exploitable and does not enable privilege escalation or data theft. Exploitation is straightforward once local access is available, as it occurs during normal driver lifecycle operations.
Remediation
Apply a kernel update that includes the fix to ensure proper controller deregistration sequencing. The patch reorders the cleanup logic so that spi_unregister_controller() is called before DMA resources are released. Verify the specific kernel version or patch against the Linux kernel repository and your distribution's advisory. Systems should schedule maintenance windows to apply the patched kernel and reboot.
Patch guidance
Monitor your Linux distribution's security advisories for kernel updates that address this issue. Once available, install the patched kernel version and reboot the system to activate the fix. If you maintain custom kernels, pull the upstream fix from the Linux kernel repository and rebuild. Verify the patch commit references proper deregistration sequencing before DMA cleanup. Test driver unload/rebind operations in a non-production environment first if feasible.
Detection guidance
Monitor kernel logs (dmesg, journalctl) for SPI controller or DMA-related warnings, NULL pointer dereference messages, or kernel panics occurring during driver unload or module removal. If you see stack traces involving spi-rspi.c or DMA teardown routines, investigate whether you are running a vulnerable kernel version. Check your kernel version with `uname -r` and cross-reference against vendor advisories. Systems using RSPI hardware should be inventoried and prioritized for patching.
Why prioritize this
Although marked MEDIUM severity (CVSS 5.5), this vulnerability should be prioritized for patching in environments where RSPI hardware is active or where frequent driver management occurs. The local-only and high-availability impact make it lower priority than remote exploitable flaws, but the straightforward trigger mechanism during normal operations (driver unload) elevates practical risk. Systems with SPI-dependent hardware or those performing regular kernel module management should patch sooner; general-purpose servers with no RSPI hardware can defer slightly longer but should not ignore the fix.
Risk score, explained
CVSS 3.1 score of 5.5 (MEDIUM) reflects: local attack vector (cannot be exploited remotely), low attack complexity (normal driver operations), low privileges required (unprivileged user can unload modules), no user interaction needed, single user scope, and high availability impact (denial of service via crash). The score appropriately captures that while impact is real and easy to trigger locally, the restriction to local access and lack of confidentiality/integrity compromise limit the overall severity. The real-world risk depends on your reliance on RSPI hardware and frequency of driver lifecycle operations.
Frequently asked questions
Does this affect my system if I don't use RSPI hardware?
Likely not. If your Linux system doesn't have RSPI-compatible hardware (most common x86 servers don't), the vulnerable code path may not be exercised. However, to be safe, you should still apply the kernel patch as part of routine security updates, since you may not have complete visibility into your hardware stack.
Can this vulnerability be exploited remotely?
No. This is a local denial-of-service flaw. An attacker would need direct access to the system and the ability to trigger driver unload operations (typically requiring local login or module-load privileges). There is no network-based exploitation path.
What happens if I don't patch?
If your system uses RSPI hardware and encounters a driver unload or unbind operation (during module removal, system shutdown, or hardware reconfiguration), you risk a kernel panic or hang. This results in downtime. Non-RSPI systems face negligible risk but should still patch opportunistically.
Is there a workaround if I cannot patch immediately?
The most practical workaround is to avoid driver unload/rebind operations if possible—leave the driver loaded for the lifetime of the system and avoid hot-unplugging RSPI hardware. However, this is not always feasible. Patching at your earliest maintenance window is strongly recommended.
This analysis is provided for informational purposes and reflects publicly available CVE data as of the publication date. CVSS scores and severity ratings are derived from the official CVE record. Patch availability, affected versions, and remediation timelines vary by Linux distribution and organization; consult your vendor's security advisory for specific guidance. SEC.co makes no warranty regarding the completeness or applicability of this information to your environment. Always test patches in a non-production environment and follow your organization's change management procedures before deploying to production systems. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Affected vendors
Related vulnerabilities
- CVE-2025-71313MEDIUMLinux Kernel PCI Endpoint NULL Pointer Dereference
- CVE-2025-71314MEDIUMLinux Panthor GPU Driver Denial of Service via Cache Flush Timeout
- CVE-2026-10004MEDIUMChrome UI Spoofing Vulnerability – Password Dialog Hijacking
- CVE-2026-10018MEDIUMInteger Overflow in Chrome ANGLE GPU Graphics Layer
- CVE-2026-10912MEDIUMChrome Extension Same-Origin Policy Bypass (CVSS 6.5)
- CVE-2026-10916MEDIUMChrome DevTools UXSS Vulnerability
- CVE-2026-10998MEDIUMChrome Media Out-of-Bounds Memory Read Vulnerability
- CVE-2026-11004MEDIUMChrome ANGLE Out-of-Bounds Read Memory Disclosure