SB2026052976 - Use-after-free in Linux kernel spi driver
Published: May 29, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Use-after-free (CVE-ID: CVE-2026-46219)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to execute arbitrary code.
The vulnerability exists due to use-after-free in the mpc52xx SPI driver state machine work handling when processing an unbind operation after an interrupt schedules work. A local attacker can trigger device unbinding while scheduled work remains pending to execute arbitrary code.
Remediation
Install update from vendor's website.
References
- https://git.kernel.org/stable/c/6c3e413919a12627d04a31a4a5fccb9fc129bb02
- https://git.kernel.org/stable/c/706b3dc2ac7a998c55e14b3fd2e8f934c367e6e0
- https://git.kernel.org/stable/c/bb6b50f709c5a01906ff72a07fdc070bb3357188
- https://git.kernel.org/stable/c/bbcd6dd8e9f264440eaf6167382bf404911c1c46
- https://git.kernel.org/stable/c/ee52da0dd83ebcd89ecbbe2660c57b15a25489f2