Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: spi: fix statistics allocation The controller per-cpu statistics is not allocated until after the controller has been registered with driver core, which leaves a window where accessing the sysfs attributes can trigger a NULL-pointer dereference. Fix this by moving the statistics allocation to controller allocation while tying its lifetime to that of the controller (rather than using implicit devres).
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Linux | Linux Kernel | >= 6.0, < 6.1.167 |
Related Weaknesses (CWE)
References
- https://git.kernel.org/stable/c/118ce777d39f03cac99231196f820e4f998613a8Patch
- https://git.kernel.org/stable/c/378b295f67102eef78cf2c28105f60ae1dab5cc1Patch
- https://git.kernel.org/stable/c/80c5bd0dca1cc5526ae0f4b273ccd163ed4caa4ePatch
- https://git.kernel.org/stable/c/dee0774bbb2abb172e9069ce5ffef579b12b3ae9Patch
- https://git.kernel.org/stable/c/df30056c78e8bead02d4be020199cabdbec0fef1Patch
- https://git.kernel.org/stable/c/f13100b1f5f111989f0750540a795fdef47492afPatch
FAQ
What is CVE-2026-23475?
CVE-2026-23475 is a vulnerability with a CVSS score of 5.5 (MEDIUM). In the Linux kernel, the following vulnerability has been resolved: spi: fix statistics allocation The controller per-cpu statistics is not allocated until after the controller has been registered w...
How severe is CVE-2026-23475?
CVE-2026-23475 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-23475?
Check the references section above for vendor advisories and patch information. Affected products include: Linux Linux Kernel.