CVE-2026-46296: Linux Kernel S3C64xx SPI Driver NULL-Pointer Dereference on Unbind
A bug in the Linux kernel's SPI driver for Samsung S3C64xx controllers can crash the system when the driver is unloaded. The issue stems from incomplete refactoring: code that allocates DMA channels was moved from initialization to a later setup phase, but the corresponding cleanup code was not removed from the driver shutdown process. When the driver unloads, it tries to release DMA resources that were never allocated, triggering a NULL-pointer crash.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-476
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-08 / 2026-07-08
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: spi: s3c64xx: fix NULL-deref on driver unbind A change moving DMA channel allocation from probe() back to s3c64xx_spi_prepare_transfer() failed to remove the corresponding deallocation from remove(). Drop the bogus DMA channel release from remove() to avoid triggering a NULL-pointer dereference on driver unbind. This issue was flagged by Sashiko when reviewing a controller deregistration fix.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-46296 is a NULL-pointer dereference vulnerability in the s3c64xx SPI controller driver (drivers/spi/spi-s3c64xx.c). During a refactoring, DMA channel allocation was relocated from the probe() function to s3c64xx_spi_prepare_transfer(), which is called during SPI transfers. However, the corresponding DMA channel deallocation logic was not removed from the remove() function. On driver unbind, the remove() handler attempts to free DMA channels that were never allocated, dereferencing a NULL pointer and crashing the kernel. The vulnerability is classified as CWE-476 (NULL Pointer Dereference).
Business impact
This vulnerability affects system stability on platforms using S3C64xx SPI controllers. While local privilege escalation is not possible, an unprivileged user can trigger a kernel panic by causing the driver to unload, resulting in denial of service. This is particularly relevant for embedded systems, IoT devices, or servers where SPI flash storage or SPI-attached peripherals rely on this controller. Unplanned system crashes disrupt operations and may corrupt state if filesystems are not cleanly unmounted.
Affected systems
The vulnerability affects Linux kernel versions with the refactored s3c64xx SPI driver code. Specifically, systems running on Samsung S3C64xx or compatible SoCs (such as S3C6410, S3C6400) that use the in-tree s3c64xx SPI controller driver are impacted. This includes ARM-based embedded platforms and some older mobile devices based on these chipsets. The issue exists until the bogus DMA deallocation is removed from the remove() function.
Exploitability
Exploitability requires local system access and the ability to trigger driver unbind events. An unprivileged user with access to sysfs can unbind the SPI driver by writing to /sys/bus/spi/drivers/s3c64xx-spi/unbind, causing the NULL-pointer dereference and system crash. No special privileges, authentication, or user interaction beyond local access is required. The attack is reliable and repeatable.
Remediation
Remove the erroneous DMA channel deallocation code from the remove() function in the s3c64xx SPI driver. The fix is straightforward: delete the dma_release_channel() calls that reference DMA channels that are no longer allocated at driver initialization. Kernel maintainers must ensure that deallocation logic matches the current allocation lifecycle. Verify the patch against the official Linux kernel repository to confirm the exact lines removed.
Patch guidance
Apply the latest Linux kernel update for your branch that includes the s3c64xx SPI driver fix. Check the Linux kernel security advisories and your distribution's kernel release notes for the patched version. For custom or vendor kernels, backport the fix by removing the incorrect DMA deallocation from the remove() function. If you maintain your own kernel tree, cherry-pick the upstream commit that resolves this issue. Recompile and test on hardware with S3C64xx SPI controllers to ensure proper driver shutdown without panics.
Detection guidance
Monitor kernel logs (dmesg, journalctl) for NULL-pointer dereference messages originating from s3c64xx SPI driver code, particularly during driver unbind or system shutdown. Kernel crash dumps and 'BUG: kernel NULL pointer dereference' lines indicate exploitation. Automated log analysis can flag these patterns. If you suspect exposure, check running kernel version against the patched release. On systems where SPI driver unbind is logged, correlate NULL-pointer faults with sysfs unbind operations on spi devices. Test labs should trigger intentional driver unbind (via sysfs) to detect the crash before production deployment.
Why prioritize this
Although rated MEDIUM severity (CVSS 5.5), prioritize patching based on your deployment model. This is a high-priority fix for systems where S3C64xx SPI controllers are actively used and where driver unbind might occur during updates, maintenance, or device reconfiguration. For data center or cloud environments using other SPI controllers, the impact is lower. Embedded device manufacturers and OEMs supporting S3C64xx-based products should prioritize this as a stability fix to prevent customer-facing system crashes. The attack vector is local and requires user interaction (unbind), which somewhat limits enterprise risk, but the reliability of the crash makes it a clear DoS vector.
Risk score, explained
The CVSS 3.1 score of 5.5 (MEDIUM) reflects: Attack Vector: Local (AV:L) — requires local system access; Attack Complexity: Low (AC:L) — trivial to trigger via sysfs; Privileges Required: Low (PR:L) — unprivileged user suffices; User Interaction: None (UI:N) — no user interaction beyond unbind command; Confidentiality: None (C:N) — no information disclosure; Integrity: None (I:N) — no data corruption; Availability: High (A:H) — kernel panic causes system crash. The high availability impact is offset by the local-only attack vector, resulting in a moderate overall score. Organizations relying on S3C64xx hardware should treat this as higher priority within their own risk assessment.
Frequently asked questions
Can a remote attacker exploit this vulnerability?
No. This vulnerability requires local system access to unbind the SPI driver via sysfs. Remote exploitation is not possible. Only users with local shell access or privileged control over sysfs can trigger the crash.
Will this affect my Linux server if it does not use S3C64xx SPI controllers?
Unlikely. The vulnerability is specific to the s3c64xx SPI driver. If your server uses Intel, AMD, or other non-Samsung SoCs without S3C64xx SPI peripherals, you are not affected. Verify your SoC model and check whether the s3c64xx driver is compiled into your kernel.
What happens if the fix is not applied?
On affected systems, any attempt to unbind the s3c64xx SPI driver will trigger a NULL-pointer dereference, causing a kernel panic and immediate system crash. This can be triggered during driver updates, device reconfiguration, or maintenance windows, leading to unplanned downtime and potential data loss if filesystems are not cleanly unmounted.
Is there a workaround if I cannot immediately patch my kernel?
A temporary mitigation is to prevent driver unbind by restricting sysfs access to the SPI driver unbind interface (via file permissions or SELinux policies) until a patch can be applied. However, this only masks the symptom; patching is the proper solution. If SPI driver functionality is not required, disabling the driver at compile time is another option.
This analysis is provided for informational purposes to assist security professionals in vulnerability assessment and patching decisions. The information is based on public CVE data and Linux kernel advisories. Verify all technical details, patch versions, and affected product lists against official vendor documentation and the Linux kernel repository. This explainer does not constitute professional security advice; consult with your security team and vendor for environment-specific guidance. No exploit code or detailed attack steps are provided. Always test patches in non-production environments before deployment. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2025-71313MEDIUMLinux Kernel PCI Endpoint NULL Pointer Dereference
- CVE-2026-46118MEDIUMLinux Kernel PAPR Hypervisor Pipe Null Pointer Dereference (POWER Systems)
- CVE-2026-46127MEDIUMLinux Kernel OCRDMA Null Pointer Dereference (DoS)
- CVE-2026-46134MEDIUMLinux Kernel cros_ec Mutex Initialization DoS Vulnerability
- CVE-2026-46188MEDIUMLinux Octeon EP VF NULL Pointer Dereference Denial of Service
- CVE-2026-46211MEDIUMLinux Kernel MSM DRM NULL Pointer and Silent Error in gem_info_get_metadata
- CVE-2026-46216MEDIUMLinux Intel Arc GPU NULL Pointer Dereference (HDCP)
- CVE-2026-46222MEDIUMLinux Rockchip RKCam Driver Null Pointer Dereference