{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23068", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.954Z", "datePublished": "2026-02-04T16:07:49.119Z", "dateUpdated": "2026-05-11T21:59:22.846Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T21:59:22.846Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: spi-sprd-adi: Fix double free in probe error path\n\nThe driver currently uses spi_alloc_host() to allocate the controller\nbut registers it using devm_spi_register_controller().\n\nIf devm_register_restart_handler() fails, the code jumps to the\nput_ctlr label and calls spi_controller_put(). However, since the\ncontroller was registered via a devm function, the device core will\nautomatically call spi_controller_put() again when the probe fails.\nThis results in a double-free of the spi_controller structure.\n\nFix this by switching to devm_spi_alloc_host() and removing the\nmanual spi_controller_put() call."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/spi/spi-sprd-adi.c"], "versions": [{"version": "ac1775012058e13ef1522938e27f5973d9e3f053", "lessThan": "bddd3d10d039729b81cfb0804520c8832a701a0e", "status": "affected", "versionType": "git"}, {"version": "ac1775012058e13ef1522938e27f5973d9e3f053", "lessThan": "417cdfd9b9f986e95bfcb1d68eb443e6e0a15f8c", "status": "affected", "versionType": "git"}, {"version": "ac1775012058e13ef1522938e27f5973d9e3f053", "lessThan": "346775f2b4cf839177e8e86b94aa180a06dc15b0", "status": "affected", "versionType": "git"}, {"version": "ac1775012058e13ef1522938e27f5973d9e3f053", "lessThan": "f6d6b3f172df118db582fe5ec43ae223a55d99cf", "status": "affected", "versionType": "git"}, {"version": "ac1775012058e13ef1522938e27f5973d9e3f053", "lessThan": "383d4f5cffcc8df930d95b06518a9d25a6d74aac", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/spi/spi-sprd-adi.c"], "versions": [{"version": "4.17", "status": "affected"}, {"version": "0", "lessThan": "4.17", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.162", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.122", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.68", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.8", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.17", "versionEndExcluding": "6.1.162"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.17", "versionEndExcluding": "6.6.122"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.17", "versionEndExcluding": "6.12.68"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.17", "versionEndExcluding": "6.18.8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.17", "versionEndExcluding": "6.19"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/bddd3d10d039729b81cfb0804520c8832a701a0e"}, {"url": "https://git.kernel.org/stable/c/417cdfd9b9f986e95bfcb1d68eb443e6e0a15f8c"}, {"url": "https://git.kernel.org/stable/c/346775f2b4cf839177e8e86b94aa180a06dc15b0"}, {"url": "https://git.kernel.org/stable/c/f6d6b3f172df118db582fe5ec43ae223a55d99cf"}, {"url": "https://git.kernel.org/stable/c/383d4f5cffcc8df930d95b06518a9d25a6d74aac"}], "title": "spi: spi-sprd-adi: Fix double free in probe error path", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "73EF54A7-869E-4AD7-9BDE-8C935CABF254", "versionEndExcluding": "6.1.162", "versionStartIncluding": "4.17", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "8EAAE395-0162-4BAF-9AD5-E9AF3C869C4F", "versionEndExcluding": "6.6.122", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "52F38E19-0FDD-4992-9D6D-D4169D689598", "versionEndExcluding": "6.12.68", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E65C6E79-7EBE-4C77-93F0-818CF5B38F4E", "versionEndExcluding": "6.18.8", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*", "matchCriteriaId": "3EF854A1-ABB1-4E93-BE9A-44569EC76C0D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: spi-sprd-adi: Fix double free in probe error path\n\nThe driver currently uses spi_alloc_host() to allocate the controller\nbut registers it using devm_spi_register_controller().\n\nIf devm_register_restart_handler() fails, the code jumps to the\nput_ctlr label and calls spi_controller_put(). However, since the\ncontroller was registered via a devm function, the device core will\nautomatically call spi_controller_put() again when the probe fails.\nThis results in a double-free of the spi_controller structure.\n\nFix this by switching to devm_spi_alloc_host() and removing the\nmanual spi_controller_put() call."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nspi: spi-sprd-adi: Corregir doble liberaci\u00f3n en la ruta de error de sondeo\n\nEl controlador actualmente usa spi_alloc_host() para asignar el controlador pero lo registra usando devm_spi_register_controller().\n\nSi devm_register_restart_handler() falla, el c\u00f3digo salta a la etiqueta put_ctlr y llama a spi_controller_put(). Sin embargo, dado que el controlador fue registrado a trav\u00e9s de una funci\u00f3n devm, el n\u00facleo del dispositivo llamar\u00e1 autom\u00e1ticamente a spi_controller_put() de nuevo cuando el sondeo falle. Esto resulta en una doble liberaci\u00f3n de la estructura spi_controller.\n\nCorregir esto cambiando a devm_spi_alloc_host() y eliminando la llamada manual a spi_controller_put()."}], "id": "CVE-2026-23068", "lastModified": "2026-03-13T21:27:37.353", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-04T17:16:17.500", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/346775f2b4cf839177e8e86b94aa180a06dc15b0"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/383d4f5cffcc8df930d95b06518a9d25a6d74aac"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/417cdfd9b9f986e95bfcb1d68eb443e6e0a15f8c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/bddd3d10d039729b81cfb0804520c8832a701a0e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/f6d6b3f172df118db582fe5ec43ae223a55d99cf"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-415"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: spi: spi-sprd-adi: Fix double free in probe error path", "id": "2436767", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2436767"}, "csaw": false, "details": ["No description is available for this CVE."], "name": "CVE-2026-23068", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-02-04T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23068\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23068\nhttps://lore.kernel.org/linux-cve-announce/2026020417-CVE-2026-23068-0852@gregkh/T"]}

{"analysis": {"en": {"generated_at": "2026-04-18T13:55:19.947430+00:00", "value": {"mitigation_remediation": ["Upgrade the system\u2019s kernel to a version that includes the fix (e.g., 6.19\u2011rc7 or later).", "If an immediate kernel upgrade is not possible, blacklist or unload the spi-sprd-adi driver to prevent the double\u2011free error from occurring.", "Continuously monitor kernel logs for related panics or OOPS messages and report any anomalies to the vendor."], "summary": {"action": "Patch Now", "impact": "Double free of SPI controller causing kernel memory corruption and potential crash or arbitrary code execution"}, "threat_synthesis": {"affected_systems": "The issue affects Linux kernel 6.19 release candidates from rc1 through rc6, as indicated by the vendor\u2019s CPE listings. Systems running these kernel versions without the patch are susceptible.", "description_and_impact": "The vulnerability is a double free in the Linux kernel\u2019s SPI driver for SPRD ADI devices. When probe registration fails, the driver releases the controller both manually and through the device core, corrupting the kernel\u2019s memory management of the SPI controller. This leads to a double free identified as CWE\u2011415, which can cause kernel crashes and potentially allow local attackers to execute arbitrary code or gain elevated privileges within the kernel context.", "risk_and_exploitability": "With a CVSS score of 7.8, the vulnerability presents a medium\u2011high severity. The current EPSS score is below 1\u202f%, suggesting a low probability of exploitation at present, and it is not listed in CISA\u2019s KEV catalog. Nevertheless, the double\u2011free flaw can be invoked through the driver\u2019s error path and may lead to kernel instability or privilege escalation for users with local access that can trigger the problematic probe sequence."}}}}, "created": "2026-04-18T14:00:02.186552+00:00", "updated": "2026-04-18T14:00:02.186573+00:00", "vendors": []}