CVE Catalog

CVE-2026-23475

MediumCVSS 5.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.12%

2th percentile - higher than 2% of all known CVEs

Summary

In the Linux kernel, a vulnerability was found in the SPI statistics allocation. Per-CPU statistics were not allocated before controller registration, allowing a NULL-pointer dereference when accessing sysfs attributes.

Risk Assessment

A local attacker could trigger a kernel panic or potentially escalate privileges by reading sysfs attributes during the vulnerability window.

Recommendation

Immediately update the Linux kernel to a version containing the fix (commit moving statistics allocation to controller allocation time).

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: spi: fix statistics allocation The controller per-cpu statistics is not allocated until after the controller has been registered with driver core, which leaves a window where accessing the sysfs attributes can trigger a NULL-pointer dereference. Fix this by moving the statistics allocation to controller allocation while tying its lifetime to that of the controller (rather than using implicit devres).

Vulnerability data from NVD (NIST) · CISA KEV · EPSS