CVE-2026-23475
MediumCVSS 5.5Exploitation Probability (EPSS)
Low risk2th percentile - higher than 2% of all known CVEs
Summary
In the Linux kernel, a vulnerability was found in the SPI statistics allocation. Per-CPU statistics were not allocated before controller registration, allowing a NULL-pointer dereference when accessing sysfs attributes.
Risk Assessment
A local attacker could trigger a kernel panic or potentially escalate privileges by reading sysfs attributes during the vulnerability window.
Recommendation
Immediately update the Linux kernel to a version containing the fix (commit moving statistics allocation to controller allocation time).
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: spi: fix statistics allocation The controller per-cpu statistics is not allocated until after the controller has been registered with driver core, which leaves a window where accessing the sysfs attributes can trigger a NULL-pointer dereference. Fix this by moving the statistics allocation to controller allocation while tying its lifetime to that of the controller (rather than using implicit devres).

