{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31489", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.101Z", "datePublished": "2026-04-22T13:54:13.602Z", "dateUpdated": "2026-05-11T22:09:43.298Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:09:43.298Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: meson-spicc: Fix double-put in remove path\n\nmeson_spicc_probe() registers the controller with\ndevm_spi_register_controller(), so teardown already drops the\ncontroller reference via devm cleanup.\n\nCalling spi_controller_put() again in meson_spicc_remove()\ncauses a double-put."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/spi/spi-meson-spicc.c"], "versions": [{"version": "8311ee2164c5cd1b63a601ea366f540eae89f10e", "lessThan": "40ad0334c17b23d8b66b1082ad1478a6202e90e2", "status": "affected", "versionType": "git"}, {"version": "8311ee2164c5cd1b63a601ea366f540eae89f10e", "lessThan": "da06a104f0486355073ff0d1bcb1fcbebb7080d6", "status": "affected", "versionType": "git"}, {"version": "8311ee2164c5cd1b63a601ea366f540eae89f10e", "lessThan": "9b812ceb75a6260c17c91db4b9e74ead8cfa06f5", "status": "affected", "versionType": "git"}, {"version": "8311ee2164c5cd1b63a601ea366f540eae89f10e", "lessThan": "63542bb402b7013171c9f621c28b609eda4dbf1f", "status": "affected", "versionType": "git"}, {"version": "ff056817560d72363b463ddac27822dc8c121280", "status": "affected", "versionType": "git"}, {"version": "683b47d0ebb10ba0d272604b09686e023d10d40c", "status": "affected", "versionType": "git"}, {"version": "a5bf7ef13ebf6adf62a69ab3542d4fc0564c082e", "status": "affected", "versionType": "git"}, {"version": "05565b469358a9a03034f7f712d83590a9f125a4", "status": "affected", "versionType": "git"}, {"version": "f2ca988aba4eaad1319e80eb1316a4ba5dbd6897", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/spi/spi-meson-spicc.c"], "versions": [{"version": "5.14", "status": "affected"}, {"version": "0", "lessThan": "5.14", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.80", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.21", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.11", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.14", "versionEndExcluding": "6.12.80"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.14", "versionEndExcluding": "6.18.21"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.14", "versionEndExcluding": "6.19.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.14", "versionEndExcluding": "7.0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.14.244"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.19.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.4.140"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10.58"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.13.10"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/40ad0334c17b23d8b66b1082ad1478a6202e90e2"}, {"url": "https://git.kernel.org/stable/c/da06a104f0486355073ff0d1bcb1fcbebb7080d6"}, {"url": "https://git.kernel.org/stable/c/9b812ceb75a6260c17c91db4b9e74ead8cfa06f5"}, {"url": "https://git.kernel.org/stable/c/63542bb402b7013171c9f621c28b609eda4dbf1f"}], "title": "spi: meson-spicc: Fix double-put in remove path", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "0BB634A6-F36F-476C-94DA-84A3ABF7A170", "versionEndExcluding": "4.15", "versionStartIncluding": "4.14.244", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "701FECB5-CEA6-4D3E-868E-F70A777945E0", "versionEndExcluding": "4.20", "versionStartIncluding": "4.19.203", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "75CD851C-0372-41B3-9A47-AC6DD48C6AB3", "versionEndExcluding": "5.5", "versionStartIncluding": "5.4.140", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "A4D3DC93-FB8F-4C90-807D-BD2092747B75", "versionEndExcluding": "5.11", "versionStartIncluding": "5.10.58", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "C09DC193-F9A8-4983-B677-7CE60D711D40", "versionEndExcluding": "5.14", "versionStartIncluding": "5.13.10", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "1077EA71-D36D-44EB-AEF6-7978036231E8", "versionEndExcluding": "6.12.80", "versionStartIncluding": "5.14.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "ED39847A-3B46-4729-B7CA-B2C30B9FA8FE", "versionEndExcluding": "6.18.21", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "4CA2E747-A9EC-4518-9AA2-B4247FC748B7", "versionEndExcluding": "6.19.11", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.14:-:*:*:*:*:*:*", "matchCriteriaId": "6A05198E-F8FA-4517-8D0E-8C95066AED38", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: meson-spicc: Fix double-put in remove path\n\nmeson_spicc_probe() registers the controller with\ndevm_spi_register_controller(), so teardown already drops the\ncontroller reference via devm cleanup.\n\nCalling spi_controller_put() again in meson_spicc_remove()\ncauses a double-put."}], "id": "CVE-2026-31489", "lastModified": "2026-04-28T12:57:37.073", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-22T14:16:46.603", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/40ad0334c17b23d8b66b1082ad1478a6202e90e2"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/63542bb402b7013171c9f621c28b609eda4dbf1f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/9b812ceb75a6260c17c91db4b9e74ead8cfa06f5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/da06a104f0486355073ff0d1bcb1fcbebb7080d6"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-415"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: spi: meson-spicc: Fix double-put in remove path", "id": "2460729", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460729"}, "csaw": false, "cwe": "CWE-1341", "details": ["A flaw was found in the Linux kernel's meson-spicc Serial Peripheral Interface (SPI) controller driver. This vulnerability occurs due to a double-put operation when removing the controller, where the spi_controller_put() function is called redundantly. This can lead to memory corruption, potentially causing a system crash and resulting in a Denial of Service (DoS)."], "name": "CVE-2026-31489", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-22T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31489\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31489\nhttps://lore.kernel.org/linux-cve-announce/2026042201-CVE-2026-31489-3a01@gregkh/T"]}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8311ee2164c5cd1b63a601ea366f540eae89f10e,40ad0334c17b23d8b66b1082ad1478a6202e90e2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8311ee2164c5cd1b63a601ea366f540eae89f10e,da06a104f0486355073ff0d1bcb1fcbebb7080d6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8311ee2164c5cd1b63a601ea366f540eae89f10e,9b812ceb75a6260c17c91db4b9e74ead8cfa06f5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8311ee2164c5cd1b63a601ea366f540eae89f10e,63542bb402b7013171c9f621c28b609eda4dbf1f)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "ff056817560d72363b463ddac27822dc8c121280"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "683b47d0ebb10ba0d272604b09686e023d10d40c"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "a5bf7ef13ebf6adf62a69ab3542d4fc0564c082e"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "05565b469358a9a03034f7f712d83590a9f125a4"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "f2ca988aba4eaad1319e80eb1316a4ba5dbd6897"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "5.14"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,5.14)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,6.12.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,6.18.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,6.19.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-29T02:25:57.177038+00:00", "value": {"mitigation_remediation": ["Apply the latest Linux kernel update that contains the meson\u2011spicc double\u2011put fix. This patch removes the erroneous second reference count decrement and restores proper resource management.", "If a kernel update is not immediately possible, disable the meson\u2011spicc driver or prevent the removal of its module so that the faulty remove path is never executed.", "Create a udev rule that prevents removal of meson\u2011spicc devices for non\u2011privileged users, blocking the remove path from executing."], "summary": {"action": "Apply patch", "impact": "Potential kernel crash or privilege escalation due to double\u2011release of a SPI controller reference"}, "threat_synthesis": {"affected_systems": "The flaw resides in the Linux kernel\u2019s meson\u2011spicc driver, affecting all kernel versions that include this driver before the patch. Version information is not specified in the advisory, but any release that contains the unfixed driver is vulnerable.", "description_and_impact": "A double decrement of the reference count for the meson\u2011spicc SPI controller occurs when the driver\u2019s remove path calls spi_controller_put() twice. This mis\u2011management can lead to the controller being released while still in use, potentially triggering a use\u2011after\u2011free, kernel crash, or allowing an attacker to execute arbitrary code with kernel privileges.", "risk_and_exploitability": "The CVSS score is 7.8, indicating a high severity. The EPSS score of 0.00023 (< 1%) indicates a very low but nonzero likelihood that the vulnerability will be actively exploited. The double reference count decrement is a classic use\u2011after\u2011free condition. While the vulnerability is not catalogued in CISA\u2019s KEV, the potential impact is still high. An attacker would need to trigger the driver\u2019s remove routine, which typically requires privileged or local access. In environments where an attacker can unload kernel modules or control device removal, the risk escalates to potential kernel compromise."}}}}, "created": "2026-04-22T17:15:21.904787+00:00", "updated": "2026-04-29T02:30:07.590105+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}