Linux Kernel SPI UAF on Controller Registration Failure
CVE-2026-31389 Published on April 3, 2026
spi: fix use-after-free on controller registration failure
In the Linux kernel, the following vulnerability has been resolved:
spi: fix use-after-free on controller registration failure
Make sure to deregister from driver core also in the unlikely event that
per-cpu statistics allocation fails during controller registration to
avoid use-after-free (of driver resources) and unclocked register
accesses.
Products Associated with CVE-2026-31389
Want to know whenever a new CVE is published for Linux Kernel? stack.watch will email you.
Affected Versions
Linux:- Version 6598b91b5ac32bc756d7c3000a31f775d4ead1c4 and below 0e23f50086da7d0b183dfeac26021acfcdee086b is affected.
- Version 6598b91b5ac32bc756d7c3000a31f775d4ead1c4 and below 6bbd385b30c7fb6c7ee0669e9ada91490938c051 is affected.
- Version 6598b91b5ac32bc756d7c3000a31f775d4ead1c4 and below afe27c1f43aa57530011f419be6ddf71306565d2 is affected.
- Version 6598b91b5ac32bc756d7c3000a31f775d4ead1c4 and below 80f3e8cd2b4ad355b2ad2024cf423f6d183404f7 is affected.
- Version 6598b91b5ac32bc756d7c3000a31f775d4ead1c4 and below 23b51bad2eb8787aa74324cfccefb258515ae5ba is affected.
- Version 6598b91b5ac32bc756d7c3000a31f775d4ead1c4 and below 8634e05b08ead636e926022f4a98416e13440df9 is affected.
- Version 6.0 is affected.
- Before 6.0 is unaffected.
- Version 6.1.167, <= 6.1.* is unaffected.
- Version 6.6.130, <= 6.6.* is unaffected.
- Version 6.12.78, <= 6.12.* is unaffected.
- Version 6.18.20, <= 6.18.* is unaffected.
- Version 6.19.10, <= 6.19.* is unaffected.
- Version 7.0-rc5, <= * is unaffected.