CVE-2026-23068

CVSS v3.1

7.8

High

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description The Linux kernel driver for spi-sprd-adi contains a flaw where a double-free of the spi controller structure can occur. This happens when devm register restart handler() fails, causing the code to call spi controller put(). Because the controller was registered using a devm function, the device core also calls spi controller put(), leading to the double-free. The issue arises from using spi alloc host() for allocation and devm spi register controller() for registration.

Recommendations Switch to using devm spi alloc host() and remove the manual spi controller put() call.

Exploit

Fix

Double Free

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-415

Related Identifiers

CVE-2026-23068

ECHO-911C-9CF6-AC0B

OPENSUSE-SU-2026:20416-1

SUSE-SU-2026:0962-1

SUSE-SU-2026:1081-1

SUSE-SU-2026:20667-1

SUSE-SU-2026:20720-1

SUSE-SU-2026:20838-1

SUSE-SU-2026:20845-1

SUSE-SU-2026:20876-1

SUSE-SU-2026:20931-1

SUSE-SU-2026:21284-1

USN-8278-1

USN-8289-1

USN-8296-1

Affected Products

Linux Kernel

Ubuntu

CVE-2026-23068

Weakness Enumeration

Related Identifiers

Affected Products

References · 1774