{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23202", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.986Z", "datePublished": "2026-02-14T16:27:26.365Z", "dateUpdated": "2026-05-11T22:02:17.947Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:02:17.947Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: tegra210-quad: Protect curr_xfer in tegra_qspi_combined_seq_xfer\n\nThe curr_xfer field is read by the IRQ handler without holding the lock\nto check if a transfer is in progress. When clearing curr_xfer in the\ncombined sequence transfer loop, protect it with the spinlock to prevent\na race with the interrupt handler.\n\nProtect the curr_xfer clearing at the exit path of\ntegra_qspi_combined_seq_xfer() with the spinlock to prevent a race\nwith the interrupt handler that reads this field.\n\nWithout this protection, the IRQ handler could read a partially updated\ncurr_xfer value, leading to NULL pointer dereference or use-after-free."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/spi/spi-tegra210-quad.c"], "versions": [{"version": "88db8bb7ed1bb474618acdf05ebd4f0758d244e2", "lessThan": "9fa4262a80f751d14a6a39d2c03f57db68da2618", "status": "affected", "versionType": "git"}, {"version": "83309dd551cfd60a5a1a98d9cab19f435b44d46d", "lessThan": "762e2ce71c8f0238e9eaf05d14da803d9a24422f", "status": "affected", "versionType": "git"}, {"version": "c934e40246da2c5726d14e94719c514e30840df8", "lessThan": "712cde8d916889e282727cdf304a43683adf899e", "status": "affected", "versionType": "git"}, {"version": "551060efb156c50fe33799038ba8145418cfdeef", "lessThan": "6fd446178a610a48e80e5c5b487b0707cd01daac", "status": "affected", "versionType": "git"}, {"version": "01bbf25c767219b14c3235bfa85906b8d2cb8fbc", "lessThan": "3bc293d5b56502068481478842f57b3d96e432c7", "status": "affected", "versionType": "git"}, {"version": "b4e002d8a7cee3b1d70efad0e222567f92a73000", "lessThan": "bf4528ab28e2bf112c3a2cdef44fd13f007781cd", "status": "affected", "versionType": "git"}, {"version": "bb0c58be84f907285af45657c1d4847b960a12bf", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/spi/spi-tegra210-quad.c"], "versions": [{"version": "5.15.198", "lessThan": "5.15.200", "status": "affected", "versionType": "semver"}, {"version": "6.1.160", "lessThan": "6.1.163", "status": "affected", "versionType": "semver"}, {"version": "6.6.120", "lessThan": "6.6.124", "status": "affected", "versionType": "semver"}, {"version": "6.12.63", "lessThan": "6.12.70", "status": "affected", "versionType": "semver"}, {"version": "6.18.2", "lessThan": "6.18.10", "status": "affected", "versionType": "semver"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15.198", "versionEndExcluding": "5.15.200"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1.160", "versionEndExcluding": "6.1.163"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6.120", "versionEndExcluding": "6.6.124"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12.63", "versionEndExcluding": "6.12.70"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18.2", "versionEndExcluding": "6.18.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.17.13"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/9fa4262a80f751d14a6a39d2c03f57db68da2618"}, {"url": "https://git.kernel.org/stable/c/762e2ce71c8f0238e9eaf05d14da803d9a24422f"}, {"url": "https://git.kernel.org/stable/c/712cde8d916889e282727cdf304a43683adf899e"}, {"url": "https://git.kernel.org/stable/c/6fd446178a610a48e80e5c5b487b0707cd01daac"}, {"url": "https://git.kernel.org/stable/c/3bc293d5b56502068481478842f57b3d96e432c7"}, {"url": "https://git.kernel.org/stable/c/bf4528ab28e2bf112c3a2cdef44fd13f007781cd"}], "title": "spi: tegra210-quad: Protect curr_xfer in tegra_qspi_combined_seq_xfer", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "9086ED9F-28EF-4E81-ACC8-DD9C0694960D", "versionEndExcluding": "5.15.200", "versionStartIncluding": "5.15.198", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "BD2D07F5-E7EF-418E-8FCC-7EA75E155311", "versionEndExcluding": "6.1.163", "versionStartIncluding": "6.1.160", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "589180AE-205F-411A-BB02-6DCA1C9766FE", "versionEndExcluding": "6.6.124", "versionStartIncluding": "6.6.120", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "BEECD823-DAFD-40C2-AFA9-F4E308AB7796", "versionEndExcluding": "6.12.70", "versionStartIncluding": "6.12.63", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "7C298528-1754-41BD-B4E9-84A37AB7BA32", "versionEndExcluding": "6.18", "versionStartIncluding": "6.17.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "0EF65418-FC18-4809-98E5-14B1A2C57DF8", "versionEndExcluding": "6.18.10", "versionStartIncluding": "6.18.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*", "matchCriteriaId": "3EF854A1-ABB1-4E93-BE9A-44569EC76C0D", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*", "matchCriteriaId": "F5DC0CA6-F0AF-4DDF-A882-3DADB9A886A7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*", "matchCriteriaId": "EB5B7DFC-C36B-45D8-922C-877569FDDF43", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: tegra210-quad: Protect curr_xfer in tegra_qspi_combined_seq_xfer\n\nThe curr_xfer field is read by the IRQ handler without holding the lock\nto check if a transfer is in progress. When clearing curr_xfer in the\ncombined sequence transfer loop, protect it with the spinlock to prevent\na race with the interrupt handler.\n\nProtect the curr_xfer clearing at the exit path of\ntegra_qspi_combined_seq_xfer() with the spinlock to prevent a race\nwith the interrupt handler that reads this field.\n\nWithout this protection, the IRQ handler could read a partially updated\ncurr_xfer value, leading to NULL pointer dereference or use-after-free."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nspi: tegra210-quad: Proteger curr_xfer en tegra_qspi_combined_seq_xfer\n\nEl campo curr_xfer es le\u00eddo por el manejador IRQ sin mantener el bloqueo para verificar si una transferencia est\u00e1 en curso. Al limpiar curr_xfer en el bucle de transferencia de secuencia combinada, protegerlo con el spinlock para evitar una condici\u00f3n de carrera con el manejador de interrupciones.\n\nProteger la limpieza de curr_xfer en la ruta de salida de tegra_qspi_combined_seq_xfer() con el spinlock para evitar una condici\u00f3n de carrera con el manejador de interrupciones que lee este campo.\n\nSin esta protecci\u00f3n, el manejador IRQ podr\u00eda leer un valor curr_xfer parcialmente actualizado, lo que llevar\u00eda a una desreferencia de puntero NULL o uso despu\u00e9s de liberaci\u00f3n."}], "id": "CVE-2026-23202", "lastModified": "2026-03-19T16:35:07.930", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-14T17:15:58.050", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/3bc293d5b56502068481478842f57b3d96e432c7"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/6fd446178a610a48e80e5c5b487b0707cd01daac"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/712cde8d916889e282727cdf304a43683adf899e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/762e2ce71c8f0238e9eaf05d14da803d9a24422f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/9fa4262a80f751d14a6a39d2c03f57db68da2618"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/bf4528ab28e2bf112c3a2cdef44fd13f007781cd"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: spi: tegra210-quad: Protect curr_xfer in tegra_qspi_combined_seq_xfer", "id": "2439908", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2439908"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "details": ["No description is available for this CVE."], "name": "CVE-2026-23202", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-02-14T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23202\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23202\nhttps://lore.kernel.org/linux-cve-announce/2026021437-CVE-2026-23202-0480@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[88db8bb7ed1bb474618acdf05ebd4f0758d244e2,9fa4262a80f751d14a6a39d2c03f57db68da2618)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[83309dd551cfd60a5a1a98d9cab19f435b44d46d,762e2ce71c8f0238e9eaf05d14da803d9a24422f)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[c934e40246da2c5726d14e94719c514e30840df8,712cde8d916889e282727cdf304a43683adf899e)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[551060efb156c50fe33799038ba8145418cfdeef,6fd446178a610a48e80e5c5b487b0707cd01daac)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[01bbf25c767219b14c3235bfa85906b8d2cb8fbc,3bc293d5b56502068481478842f57b3d96e432c7)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[b4e002d8a7cee3b1d70efad0e222567f92a73000,bf4528ab28e2bf112c3a2cdef44fd13f007781cd)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "bb0c58be84f907285af45657c1d4847b960a12bf"}}], "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.15.198,5.15.200)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.1.160,6.1.163)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.6.120,6.6.124)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.12.63,6.12.70)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.18.2,6.18.10)"}}], "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-18T12:12:26.285637+00:00", "value": {"mitigation_remediation": ["Upgrade the Linux kernel to a version that includes the spinlock fix for tegra_qspi_combined_seq_xfer.", "Reboot the system to ensure the patched kernel is running.", "If an upgrade is not immediately possible, disable or limit access to the tegra qspi device to reduce the attack surface."], "summary": {"action": "Apply patch", "impact": "Denial of Service via kernel crash due to NULL pointer dereference or use-after\u2011free"}, "threat_synthesis": {"affected_systems": "Affects the Linux kernel\u2019s tegra210\u2011quad SPI driver. Versions 6.19 rc1 through rc8 contain the vulnerable code before the lock was added. Any custom kernel build that includes the unchecked tegra_qspi_combined_seq_xfer logic is also affected.", "description_and_impact": "The flaw stems from a race condition during communication with the tegra210\u2011quad SPI peripheral. One handler reads a field while another clears it without holding a lock. This can allow the handler to observe an intermediate, potentially null, state and subsequently dereference a NULL pointer or a freed object. The description does not explicitly state the consequences for the system, but it is inferred that the kernel could crash, causing denial of service. The weakness corresponds to CWE\u2011476.", "risk_and_exploitability": "The CVSS score of 5.5 indicates a moderate impact. The EPSS score (<1%) suggests a very low likelihood of an active exploitation vector. It is not listed in CISA KEV. Based on the description, it is inferred that the attack would require local or privileged access to trigger the race condition, so remote exploitation is unlikely. The overall risk remains moderate with a low probability of exploitation, but the denial of service nature warrants attention."}}}}, "created": "2026-02-16T09:43:30.783882+00:00", "updated": "2026-04-18T12:15:15.787273+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}