CVE-2026-45996
HighCVSS 7.8Exploitation Probability (EPSS)
Low risk3th percentile - higher than 3% of all known CVEs
Summary
A vulnerability related to use-after-free in the SPI subsystem has been fixed in the Linux kernel. The issue occurred during the deregistration of the controller, which could lead to improper freeing of driver data.
Risk Assessment
Organizations may be exposed to system crashes or unexpected application behavior if the SPI controller is improperly registered or removed.
Recommendation
It is recommended to update the Linux kernel to the latest version to eliminate this vulnerability and ensure system stability.
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: spi: imx: fix use-after-free on unbind The SPI subsystem frees the controller and any subsystem allocated driver data as part of deregistration (unless the allocation is device managed). Take another reference before deregistering the controller so that the driver data is not freed until the driver is done with it.

