CVE-2026-31485

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A teardown order issue exists in the spi-fsl-lpspi driver. The SPI controller is registered using devm spi register controller(), which delays unregistration until after the fsl lpspi remove() function returns. Because fsl lpspi remove() synchronously tears down DMA channels, a running SPI transfer can trigger a NULL pointer dereference resulting from a use-after-free condition in the fsl lpspi dma transfer() function.

Recommendations Update the Linux kernel to a version where devm spi register controller() is replaced by spi register controller() in fsl lpspi probe() and spi unregister controller() is added to fsl lpspi remove().