{"api_version":"1","generated_at":"2026-04-22T16:28:19+00:00","cve":"CVE-2026-31485","urls":{"html":"https://cve.report/CVE-2026-31485","api":"https://cve.report/api/cve/CVE-2026-31485.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-31485","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-31485"},"summary":{"title":"spi: spi-fsl-lpspi: fix teardown order issue (UAF)","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nspi: spi-fsl-lpspi: fix teardown order issue (UAF)\n\nThere is a teardown order issue in the driver. The SPI controller is\nregistered using devm_spi_register_controller(), which delays\nunregistration of the SPI controller until after the fsl_lpspi_remove()\nfunction returns.\n\nAs the fsl_lpspi_remove() function synchronously tears down the DMA\nchannels, a running SPI transfer triggers the following NULL pointer\ndereference due to use after free:\n\n| fsl_lpspi 42550000.spi: I/O Error in DMA RX\n| Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n[...]\n| Call trace:\n|  fsl_lpspi_dma_transfer+0x260/0x340 [spi_fsl_lpspi]\n|  fsl_lpspi_transfer_one+0x198/0x448 [spi_fsl_lpspi]\n|  spi_transfer_one_message+0x49c/0x7c8\n|  __spi_pump_transfer_message+0x120/0x420\n|  __spi_sync+0x2c4/0x520\n|  spi_sync+0x34/0x60\n|  spidev_message+0x20c/0x378 [spidev]\n|  spidev_ioctl+0x398/0x750 [spidev]\n[...]\n\nSwitch from devm_spi_register_controller() to spi_register_controller() in\nfsl_lpspi_probe() and add the corresponding spi_unregister_controller() in\nfsl_lpspi_remove().","state":"PUBLISHED","assigner":"Linux","published_at":"2026-04-22 14:16:45","updated_at":"2026-04-22 14:16:45"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/e89e2b97253c124d37bf88e96e5e8ce5c3aeeec3","name":"https://git.kernel.org/stable/c/e89e2b97253c124d37bf88e96e5e8ce5c3aeeec3","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/b341c1176f2e001b3adf0b47154fc31589f7410e","name":"https://git.kernel.org/stable/c/b341c1176f2e001b3adf0b47154fc31589f7410e","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/ca4483f36ac1b62e69f8b182c5b8f059e0abecfb","name":"https://git.kernel.org/stable/c/ca4483f36ac1b62e69f8b182c5b8f059e0abecfb","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/e3fd54f8b0317fbccc103961ddd660f2a32dcf0b","name":"https://git.kernel.org/stable/c/e3fd54f8b0317fbccc103961ddd660f2a32dcf0b","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/fbe6f40caeebb0b1ea9dfedc259124c1d3cda7a6","name":"https://git.kernel.org/stable/c/fbe6f40caeebb0b1ea9dfedc259124c1d3cda7a6","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/d5d01f24bc6fbde40b4e567ef9160194b61267bc","name":"https://git.kernel.org/stable/c/d5d01f24bc6fbde40b4e567ef9160194b61267bc","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/15650dfbaeeb14bcaaf053b93cf631db8d465300","name":"https://git.kernel.org/stable/c/15650dfbaeeb14bcaaf053b93cf631db8d465300","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/adb25339b66112393fd6892ceff926765feb5b86","name":"https://git.kernel.org/stable/c/adb25339b66112393fd6892ceff926765feb5b86","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-31485","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31485","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 5314987de5e5f5e38436ef4a69328bc472bbd63e fbe6f40caeebb0b1ea9dfedc259124c1d3cda7a6 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 5314987de5e5f5e38436ef4a69328bc472bbd63e ca4483f36ac1b62e69f8b182c5b8f059e0abecfb git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 5314987de5e5f5e38436ef4a69328bc472bbd63e e3fd54f8b0317fbccc103961ddd660f2a32dcf0b git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 5314987de5e5f5e38436ef4a69328bc472bbd63e adb25339b66112393fd6892ceff926765feb5b86 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 5314987de5e5f5e38436ef4a69328bc472bbd63e d5d01f24bc6fbde40b4e567ef9160194b61267bc git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 5314987de5e5f5e38436ef4a69328bc472bbd63e e89e2b97253c124d37bf88e96e5e8ce5c3aeeec3 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 5314987de5e5f5e38436ef4a69328bc472bbd63e 15650dfbaeeb14bcaaf053b93cf631db8d465300 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 5314987de5e5f5e38436ef4a69328bc472bbd63e b341c1176f2e001b3adf0b47154fc31589f7410e git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 4.10","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 4.10 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.10.253 5.10.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.15.203 5.15.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.1.168 6.1.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.131 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.80 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.21 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.19.11 6.19.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["drivers/spi/spi-fsl-lpspi.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"fbe6f40caeebb0b1ea9dfedc259124c1d3cda7a6","status":"affected","version":"5314987de5e5f5e38436ef4a69328bc472bbd63e","versionType":"git"},{"lessThan":"ca4483f36ac1b62e69f8b182c5b8f059e0abecfb","status":"affected","version":"5314987de5e5f5e38436ef4a69328bc472bbd63e","versionType":"git"},{"lessThan":"e3fd54f8b0317fbccc103961ddd660f2a32dcf0b","status":"affected","version":"5314987de5e5f5e38436ef4a69328bc472bbd63e","versionType":"git"},{"lessThan":"adb25339b66112393fd6892ceff926765feb5b86","status":"affected","version":"5314987de5e5f5e38436ef4a69328bc472bbd63e","versionType":"git"},{"lessThan":"d5d01f24bc6fbde40b4e567ef9160194b61267bc","status":"affected","version":"5314987de5e5f5e38436ef4a69328bc472bbd63e","versionType":"git"},{"lessThan":"e89e2b97253c124d37bf88e96e5e8ce5c3aeeec3","status":"affected","version":"5314987de5e5f5e38436ef4a69328bc472bbd63e","versionType":"git"},{"lessThan":"15650dfbaeeb14bcaaf053b93cf631db8d465300","status":"affected","version":"5314987de5e5f5e38436ef4a69328bc472bbd63e","versionType":"git"},{"lessThan":"b341c1176f2e001b3adf0b47154fc31589f7410e","status":"affected","version":"5314987de5e5f5e38436ef4a69328bc472bbd63e","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["drivers/spi/spi-fsl-lpspi.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"4.10"},{"lessThan":"4.10","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"5.10.*","status":"unaffected","version":"5.10.253","versionType":"semver"},{"lessThanOrEqual":"5.15.*","status":"unaffected","version":"5.15.203","versionType":"semver"},{"lessThanOrEqual":"6.1.*","status":"unaffected","version":"6.1.168","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.131","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.80","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.21","versionType":"semver"},{"lessThanOrEqual":"6.19.*","status":"unaffected","version":"6.19.11","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.0","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.10.253","versionStartIncluding":"4.10","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.15.203","versionStartIncluding":"4.10","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.168","versionStartIncluding":"4.10","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.131","versionStartIncluding":"4.10","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.80","versionStartIncluding":"4.10","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.21","versionStartIncluding":"4.10","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.19.11","versionStartIncluding":"4.10","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0","versionStartIncluding":"4.10","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nspi: spi-fsl-lpspi: fix teardown order issue (UAF)\n\nThere is a teardown order issue in the driver. The SPI controller is\nregistered using devm_spi_register_controller(), which delays\nunregistration of the SPI controller until after the fsl_lpspi_remove()\nfunction returns.\n\nAs the fsl_lpspi_remove() function synchronously tears down the DMA\nchannels, a running SPI transfer triggers the following NULL pointer\ndereference due to use after free:\n\n| fsl_lpspi 42550000.spi: I/O Error in DMA RX\n| Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n[...]\n| Call trace:\n|  fsl_lpspi_dma_transfer+0x260/0x340 [spi_fsl_lpspi]\n|  fsl_lpspi_transfer_one+0x198/0x448 [spi_fsl_lpspi]\n|  spi_transfer_one_message+0x49c/0x7c8\n|  __spi_pump_transfer_message+0x120/0x420\n|  __spi_sync+0x2c4/0x520\n|  spi_sync+0x34/0x60\n|  spidev_message+0x20c/0x378 [spidev]\n|  spidev_ioctl+0x398/0x750 [spidev]\n[...]\n\nSwitch from devm_spi_register_controller() to spi_register_controller() in\nfsl_lpspi_probe() and add the corresponding spi_unregister_controller() in\nfsl_lpspi_remove()."}],"providerMetadata":{"dateUpdated":"2026-04-22T13:54:10.892Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/fbe6f40caeebb0b1ea9dfedc259124c1d3cda7a6"},{"url":"https://git.kernel.org/stable/c/ca4483f36ac1b62e69f8b182c5b8f059e0abecfb"},{"url":"https://git.kernel.org/stable/c/e3fd54f8b0317fbccc103961ddd660f2a32dcf0b"},{"url":"https://git.kernel.org/stable/c/adb25339b66112393fd6892ceff926765feb5b86"},{"url":"https://git.kernel.org/stable/c/d5d01f24bc6fbde40b4e567ef9160194b61267bc"},{"url":"https://git.kernel.org/stable/c/e89e2b97253c124d37bf88e96e5e8ce5c3aeeec3"},{"url":"https://git.kernel.org/stable/c/15650dfbaeeb14bcaaf053b93cf631db8d465300"},{"url":"https://git.kernel.org/stable/c/b341c1176f2e001b3adf0b47154fc31589f7410e"}],"title":"spi: spi-fsl-lpspi: fix teardown order issue (UAF)","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-31485","datePublished":"2026-04-22T13:54:10.892Z","dateReserved":"2026-03-09T15:48:24.101Z","dateUpdated":"2026-04-22T13:54:10.892Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-04-22 14:16:45","lastModifiedDate":"2026-04-22 14:16:45","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"31485","Ordinal":"1","Title":"spi: spi-fsl-lpspi: fix teardown order issue (UAF)","CVE":"CVE-2026-31485","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"31485","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nspi: spi-fsl-lpspi: fix teardown order issue (UAF)\n\nThere is a teardown order issue in the driver. The SPI controller is\nregistered using devm_spi_register_controller(), which delays\nunregistration of the SPI controller until after the fsl_lpspi_remove()\nfunction returns.\n\nAs the fsl_lpspi_remove() function synchronously tears down the DMA\nchannels, a running SPI transfer triggers the following NULL pointer\ndereference due to use after free:\n\n| fsl_lpspi 42550000.spi: I/O Error in DMA RX\n| Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n[...]\n| Call trace:\n|  fsl_lpspi_dma_transfer+0x260/0x340 [spi_fsl_lpspi]\n|  fsl_lpspi_transfer_one+0x198/0x448 [spi_fsl_lpspi]\n|  spi_transfer_one_message+0x49c/0x7c8\n|  __spi_pump_transfer_message+0x120/0x420\n|  __spi_sync+0x2c4/0x520\n|  spi_sync+0x34/0x60\n|  spidev_message+0x20c/0x378 [spidev]\n|  spidev_ioctl+0x398/0x750 [spidev]\n[...]\n\nSwitch from devm_spi_register_controller() to spi_register_controller() in\nfsl_lpspi_probe() and add the corresponding spi_unregister_controller() in\nfsl_lpspi_remove().","Type":"Description","Title":"spi: spi-fsl-lpspi: fix teardown order issue (UAF)"}]}}}