{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31389", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.084Z", "datePublished": "2026-04-03T15:15:55.068Z", "dateUpdated": "2026-05-11T22:07:45.283Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:07:45.283Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: fix use-after-free on controller registration failure\n\nMake sure to deregister from driver core also in the unlikely event that\nper-cpu statistics allocation fails during controller registration to\navoid use-after-free (of driver resources) and unclocked register\naccesses."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/spi/spi.c"], "versions": [{"version": "6598b91b5ac32bc756d7c3000a31f775d4ead1c4", "lessThan": "0e23f50086da7d0b183dfeac26021acfcdee086b", "status": "affected", "versionType": "git"}, {"version": "6598b91b5ac32bc756d7c3000a31f775d4ead1c4", "lessThan": "6bbd385b30c7fb6c7ee0669e9ada91490938c051", "status": "affected", "versionType": "git"}, {"version": "6598b91b5ac32bc756d7c3000a31f775d4ead1c4", "lessThan": "afe27c1f43aa57530011f419be6ddf71306565d2", "status": "affected", "versionType": "git"}, {"version": "6598b91b5ac32bc756d7c3000a31f775d4ead1c4", "lessThan": "80f3e8cd2b4ad355b2ad2024cf423f6d183404f7", "status": "affected", "versionType": "git"}, {"version": "6598b91b5ac32bc756d7c3000a31f775d4ead1c4", "lessThan": "23b51bad2eb8787aa74324cfccefb258515ae5ba", "status": "affected", "versionType": "git"}, {"version": "6598b91b5ac32bc756d7c3000a31f775d4ead1c4", "lessThan": "8634e05b08ead636e926022f4a98416e13440df9", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/spi/spi.c"], "versions": [{"version": "6.0", "status": "affected"}, {"version": "0", "lessThan": "6.0", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.78", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.20", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.10", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.12.78"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.18.20"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.19.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/0e23f50086da7d0b183dfeac26021acfcdee086b"}, {"url": "https://git.kernel.org/stable/c/6bbd385b30c7fb6c7ee0669e9ada91490938c051"}, {"url": "https://git.kernel.org/stable/c/afe27c1f43aa57530011f419be6ddf71306565d2"}, {"url": "https://git.kernel.org/stable/c/80f3e8cd2b4ad355b2ad2024cf423f6d183404f7"}, {"url": "https://git.kernel.org/stable/c/23b51bad2eb8787aa74324cfccefb258515ae5ba"}, {"url": "https://git.kernel.org/stable/c/8634e05b08ead636e926022f4a98416e13440df9"}], "title": "spi: fix use-after-free on controller registration failure", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: fix use-after-free on controller registration failure\n\nMake sure to deregister from driver core also in the unlikely event that\nper-cpu statistics allocation fails during controller registration to\navoid use-after-free (of driver resources) and unclocked register\naccesses."}], "id": "CVE-2026-31389", "lastModified": "2026-04-27T14:16:35.207", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}]}, "published": "2026-04-03T16:16:36.823", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/0e23f50086da7d0b183dfeac26021acfcdee086b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/23b51bad2eb8787aa74324cfccefb258515ae5ba"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6bbd385b30c7fb6c7ee0669e9ada91490938c051"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/80f3e8cd2b4ad355b2ad2024cf423f6d183404f7"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/8634e05b08ead636e926022f4a98416e13440df9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/afe27c1f43aa57530011f419be6ddf71306565d2"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: spi: fix use-after-free on controller registration failure", "id": "2454859", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454859"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.7", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-825", "details": ["A flaw was found in the Linux kernel's Serial Peripheral Interface (SPI) subsystem. During controller registration, a use-after-free vulnerability can occur if the allocation of per-CPU statistics fails. This could allow a local attacker to cause system instability or a denial of service by accessing freed memory."], "name": "CVE-2026-31389", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31389\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31389\nhttps://lore.kernel.org/linux-cve-announce/2026040324-CVE-2026-31389-036b@gregkh/T"], "statement": "This vulnerability occurs only during an unlikely error path when per-CPU statistics allocation fails during SPI controller registration. Under normal system operation with adequate memory, this path is not exercised. The practical exploitability is very limited as it requires triggering a specific allocation failure during driver initialization.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[6598b91b5ac32bc756d7c3000a31f775d4ead1c4,0e23f50086da7d0b183dfeac26021acfcdee086b)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[6598b91b5ac32bc756d7c3000a31f775d4ead1c4,6bbd385b30c7fb6c7ee0669e9ada91490938c051)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[6598b91b5ac32bc756d7c3000a31f775d4ead1c4,afe27c1f43aa57530011f419be6ddf71306565d2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[6598b91b5ac32bc756d7c3000a31f775d4ead1c4,80f3e8cd2b4ad355b2ad2024cf423f6d183404f7)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[6598b91b5ac32bc756d7c3000a31f775d4ead1c4,23b51bad2eb8787aa74324cfccefb258515ae5ba)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[6598b91b5ac32bc756d7c3000a31f775d4ead1c4,8634e05b08ead636e926022f4a98416e13440df9)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.0"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,6.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.1.167,6.1.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.6.130,6.6.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.12.78,6.12.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.18.20,6.18.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.19.10,6.19.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc5,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T16:36:43.990273+00:00", "value": {"mitigation_remediation": ["Update the kernel to a release that includes the SPI controller use\u2011after\u2011free fix.", "Ensure that all modules interacting with the SPI controller are compiled for the new kernel or are replaced with updated versions that include the fix.", "If an immediate kernel update is not available, restrict SPI controller use by disabling unnecessary devices at boot or using device tree overrides to avoid dynamic registration."], "summary": {"action": "Patch Update", "impact": "Local Privilege Escalation (Use-Af\u2026ter-Free)"}, "threat_synthesis": {"affected_systems": "All Linux kernel implementations that include the affected SPI registration code are vulnerable. The flaw exists in the mainline kernel source that was current when the fix was made. No specific downstream distribution or kernel release list is supplied, so any system running an unpatched kernel before the commit that introduced the removal of this bug is at risk.", "description_and_impact": "The vulnerability is a use\u2011after\u2011free condition in the Linux kernel\u2019s SPI controller registration path. When per\u2011CPU statistics allocation fails, the kernel does not deregister the driver correctly, leaving freed driver resources that can still be accessed. Failure to clean up in this unlikely scenario can lead to an attacker executing arbitrary code inside the kernel or causing a crash. The weakness is formally classified as CWE\u2011825.", "risk_and_exploitability": "The CVSS rating of 7.8 indicates a high severity, and the EPSS value of less than 1\u00a0% suggests that exploitation is unlikely in the wild. The defect is not listed in CISA\u2019s KEV catalog. A successful exploitation would require local kernel access or the ability to trigger the controller registration failure, which is an inferred local attack vector; remote exploitation is not documented."}}}}, "created": "2026-04-03T21:13:22.992528+00:00", "updated": "2026-04-28T16:45:06.168742+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}