CVE-2026-46226: Linux Kernel Freescale SPI Controller DoS Vulnerability
A flaw in the Linux kernel's Freescale SPI controller driver can cause a system crash when the driver is unloaded. The issue occurs because the driver releases hardware resources (like DMA) before properly shutting down the SPI controller, leaving it in an inconsistent state. An attacker with local system access could trigger this crash by unloading the driver, resulting in a denial of service.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- —
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: spi: fsl: fix controller deregistration Make sure to deregister the controller before releasing underlying resources like DMA during driver unbind.
5 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-46226 is a use-after-free vulnerability in the fsl_spi driver (Freescale SPI controller driver) within the Linux kernel. During driver unbind (module removal or device hot-unplug), the deregistration sequence was not properly ordered. The controller was being released while still holding references to underlying DMA resources, creating a window where the controller attempts to access freed memory. The fix ensures deregistration of the SPI controller occurs before DMA and other resources are released, restoring proper cleanup ordering.
Business impact
For organizations running Linux systems with Freescale SPI controllers—primarily embedded systems, industrial IoT devices, and certain ARM-based platforms—this vulnerability allows local attackers to crash the kernel without requiring elevated privileges. Repeated crashes can disrupt availability of affected devices. This is particularly concerning in production environments where driver reloads or device hot-swapping may occur as part of normal operations or recovery procedures.
Affected systems
The vulnerability affects the Linux kernel across all versions prior to the fix. Systems with Freescale (NXP) SPI controllers are affected, which includes many ARM-based embedded systems, IoT devices, and edge computing platforms. Impact is limited to local attackers; remote exploitation is not possible. Systems without SPI hardware or those not using the fsl_spi driver are not affected.
Exploitability
Exploitability is straightforward for local users. The attack requires only the ability to trigger driver unbind—either through rmmod (module removal) or by manually triggering device unbind via sysfs. No special privileges beyond local access are needed, and no user interaction is required. The CVSS score of 5.5 reflects this local attack vector with high availability impact but no confidentiality or integrity compromise.
Remediation
Apply the Linux kernel patch that reorders the controller deregistration sequence to occur before resource cleanup. Verify the patch is present in your kernel version by checking the commit log or release notes. For distributions, wait for kernel updates from your vendor; most major Linux distributions will backport this fix into their stable kernel branches.
Patch guidance
Check your kernel version against your Linux distribution's advisory channels. Ubuntu, Red Hat, Debian, and other distributions will release patched kernel packages. Subscribe to your vendor's security mailing list for notification of availability. If you maintain a custom kernel build, apply the upstream patch from the Linux kernel repository and recompile. Test the patched kernel in a non-production environment before rolling out broadly, particularly for embedded or IoT deployments.
Detection guidance
Monitor kernel logs for SPI controller errors during driver unbind or module unload operations. Watch for kernel oops or panic messages containing 'fsl_spi' or 'spi_master'. In production, enable kernel crash dumps (kdump) to preserve evidence of exploitation attempts. On systems where driver unloading is infrequent, sudden or unexpected driver unbind events should be investigated. Intrusion detection systems can flag unusual patterns of rmmod commands targeting the spi driver module.
Why prioritize this
Although the CVSS score is moderate (5.5), prioritization should be based on your deployment model. If your infrastructure includes Freescale SPI-based devices or embedded Linux systems where driver reloading is part of operational procedures, move this to high priority. For typical datacenter or cloud environments without this hardware, prioritize lower. The local-only attack vector and requirement for explicit driver unbind action limit immediate risk in well-secured environments, but the denial of service impact warrants timely patching.
Risk score, explained
The CVSS 3.1 score of 5.5 (Medium) reflects: local attack vector (AV:L) with low attack complexity (AC:L), requiring low privilege (PR:L) and no user interaction (UI:N). The impact is confined to availability (A:H), with no confidentiality or integrity loss (C:N/I:N). While the score is moderate, the actual risk in your environment depends heavily on whether you operate affected hardware and how tightly you control local access and driver management.
Frequently asked questions
Is this vulnerability remotely exploitable?
No. The vulnerability requires local system access and explicit action to unbind the SPI driver. Remote attackers cannot trigger the crash over the network.
Do I need to patch if my systems don't have Freescale SPI controllers?
No. If you don't use Freescale SPI hardware or the fsl_spi driver is not present in your kernel, you are not affected. Verify with 'lsmod | grep fsl_spi' or check your device tree/hardware configuration.
What happens if the vulnerability is exploited?
The kernel crashes due to attempting to access freed memory. This causes a denial of service—the affected device or system will reboot or halt. No data corruption or privilege escalation occurs.
Can this be exploited without root privileges?
Yes. While unprivileged users typically cannot directly remove kernel modules, on systems where users have access to unbind devices (e.g., through sysfs), the vulnerability can be triggered. The exact exploitability depends on your local access controls and sysfs permissions.
This analysis is based on publicly available vulnerability data current as of the publication date. For the most up-to-date patch status, version numbers, and distribution-specific guidance, consult your Linux vendor's security advisory and the official Linux kernel security mailing list. SEC.co does not provide exploit code or weaponized proof-of-concepts. Test all patches in a non-production environment before deployment. If you discover evidence of active exploitation, contact your vendor's security team and relevant incident response authorities. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Affected vendors
Related vulnerabilities
- CVE-2025-71313MEDIUMLinux Kernel PCI Endpoint NULL Pointer Dereference
- CVE-2025-71314MEDIUMLinux Panthor GPU Driver Denial of Service via Cache Flush Timeout
- CVE-2026-10004MEDIUMChrome UI Spoofing Vulnerability – Password Dialog Hijacking
- CVE-2026-10018MEDIUMInteger Overflow in Chrome ANGLE GPU Graphics Layer
- CVE-2026-10912MEDIUMChrome Extension Same-Origin Policy Bypass (CVSS 6.5)
- CVE-2026-10916MEDIUMChrome DevTools UXSS Vulnerability
- CVE-2026-10998MEDIUMChrome Media Out-of-Bounds Memory Read Vulnerability
- CVE-2026-11004MEDIUMChrome ANGLE Out-of-Bounds Read Memory Disclosure