{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23475", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:46.022Z", "datePublished": "2026-04-03T15:15:54.211Z", "dateUpdated": "2026-05-11T22:07:44.110Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:07:44.110Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: fix statistics allocation\n\nThe controller per-cpu statistics is not allocated until after the\ncontroller has been registered with driver core, which leaves a window\nwhere accessing the sysfs attributes can trigger a NULL-pointer\ndereference.\n\nFix this by moving the statistics allocation to controller allocation\nwhile tying its lifetime to that of the controller (rather than using\nimplicit devres)."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/spi/spi.c"], "versions": [{"version": "6598b91b5ac32bc756d7c3000a31f775d4ead1c4", "lessThan": "80c5bd0dca1cc5526ae0f4b273ccd163ed4caa4e", "status": "affected", "versionType": "git"}, {"version": "6598b91b5ac32bc756d7c3000a31f775d4ead1c4", "lessThan": "f13100b1f5f111989f0750540a795fdef47492af", "status": "affected", "versionType": "git"}, {"version": "6598b91b5ac32bc756d7c3000a31f775d4ead1c4", "lessThan": "df30056c78e8bead02d4be020199cabdbec0fef1", "status": "affected", "versionType": "git"}, {"version": "6598b91b5ac32bc756d7c3000a31f775d4ead1c4", "lessThan": "378b295f67102eef78cf2c28105f60ae1dab5cc1", "status": "affected", "versionType": "git"}, {"version": "6598b91b5ac32bc756d7c3000a31f775d4ead1c4", "lessThan": "118ce777d39f03cac99231196f820e4f998613a8", "status": "affected", "versionType": "git"}, {"version": "6598b91b5ac32bc756d7c3000a31f775d4ead1c4", "lessThan": "dee0774bbb2abb172e9069ce5ffef579b12b3ae9", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/spi/spi.c"], "versions": [{"version": "6.0", "status": "affected"}, {"version": "0", "lessThan": "6.0", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.78", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.20", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.10", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.12.78"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.18.20"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.19.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/80c5bd0dca1cc5526ae0f4b273ccd163ed4caa4e"}, {"url": "https://git.kernel.org/stable/c/f13100b1f5f111989f0750540a795fdef47492af"}, {"url": "https://git.kernel.org/stable/c/df30056c78e8bead02d4be020199cabdbec0fef1"}, {"url": "https://git.kernel.org/stable/c/378b295f67102eef78cf2c28105f60ae1dab5cc1"}, {"url": "https://git.kernel.org/stable/c/118ce777d39f03cac99231196f820e4f998613a8"}, {"url": "https://git.kernel.org/stable/c/dee0774bbb2abb172e9069ce5ffef579b12b3ae9"}], "title": "spi: fix statistics allocation", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: fix statistics allocation\n\nThe controller per-cpu statistics is not allocated until after the\ncontroller has been registered with driver core, which leaves a window\nwhere accessing the sysfs attributes can trigger a NULL-pointer\ndereference.\n\nFix this by moving the statistics allocation to controller allocation\nwhile tying its lifetime to that of the controller (rather than using\nimplicit devres)."}], "id": "CVE-2026-23475", "lastModified": "2026-04-07T13:20:55.200", "metrics": {}, "published": "2026-04-03T16:16:35.440", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/118ce777d39f03cac99231196f820e4f998613a8"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/378b295f67102eef78cf2c28105f60ae1dab5cc1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/80c5bd0dca1cc5526ae0f4b273ccd163ed4caa4e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/dee0774bbb2abb172e9069ce5ffef579b12b3ae9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/df30056c78e8bead02d4be020199cabdbec0fef1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f13100b1f5f111989f0750540a795fdef47492af"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: spi: fix statistics allocation", "id": "2454842", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454842"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-824", "details": ["A flaw was found in the Linux kernel's Serial Peripheral Interface (SPI) component. The system's per-CPU statistics for the SPI controller were not allocated until after the controller was registered. This created a window where a local user or process could access system files (sysfs attributes) related to the SPI controller, leading to a NULL-pointer dereference. This vulnerability can cause a system crash, resulting in a Denial of Service (DoS)."], "name": "CVE-2026-23475", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23475\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23475\nhttps://lore.kernel.org/linux-cve-announce/2026040323-CVE-2026-23475-8bf5@gregkh/T"], "threat_severity": "Low"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[6598b91b5ac32bc756d7c3000a31f775d4ead1c4,80c5bd0dca1cc5526ae0f4b273ccd163ed4caa4e)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[6598b91b5ac32bc756d7c3000a31f775d4ead1c4,f13100b1f5f111989f0750540a795fdef47492af)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[6598b91b5ac32bc756d7c3000a31f775d4ead1c4,df30056c78e8bead02d4be020199cabdbec0fef1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[6598b91b5ac32bc756d7c3000a31f775d4ead1c4,378b295f67102eef78cf2c28105f60ae1dab5cc1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[6598b91b5ac32bc756d7c3000a31f775d4ead1c4,118ce777d39f03cac99231196f820e4f998613a8)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[6598b91b5ac32bc756d7c3000a31f775d4ead1c4,dee0774bbb2abb172e9069ce5ffef579b12b3ae9)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "6.0"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,6.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.167,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.130,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.78,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.20,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.10,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc5,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-04T03:41:07.691604+00:00", "value": {"mitigation_remediation": ["Apply the latest kernel update that contains the SPI statistics allocation fix.", "If an update cannot be applied immediately, restrict or disable access to the spi driver sysfs entries by adjusting file permissions.", "Verify that the driver is fully registered before interacting with its sysfs attributes.", "Monitor kernel logs for related Oops or panic messages."], "summary": {"action": "Apply Patch", "impact": "Denial of Service / Kernel Crash"}, "threat_synthesis": {"affected_systems": "Any Linux kernel version containing the old SPI driver implementation before the fix was merged is affected. The vendor record lists \"Linux:Linux\" and the CPE identifier indicates all linux_kernel builds. Therefore all architectures that run an unpatched kernel are vulnerable.", "description_and_impact": "The Linux kernel did not allocate per\u2011CPU statistics until the controller was fully registered, creating a window in which reading the driver\u2019s sysfs entries could trigger a NULL\u2011pointer dereference. This results in an Oops and a kernel crash, leading to a denial\u2011of\u2011service impact. The weakness is a null pointer dereference (CWE\u2011824) and is resolved by moving allocation into controller initialization.", "risk_and_exploitability": "With a CVSS score of 5.5 and no EPSS data, the risk is moderate. The vulnerability is not in KEV. Exploitation requires local access to the sysfs interface; a user can trigger a kernel panic by accessing the driver attributes during the allocation window. There is no remote code execution risk, but a local attacker can cause a system crash."}}}}, "created": "2026-04-03T21:13:23.982930+00:00", "updated": "2026-04-07T07:17:04.394250+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}