CVE-2026-23068
Published: 04 February 2026
Summary
CVE-2026-23068 is a high-severity Double Free (CWE-415) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).
Deeper analysis
CVE-2026-23068 is a double-free vulnerability (CWE-415) in the Linux kernel's spi-sprd-adi driver. The issue occurs during the probe error path, where the driver allocates a controller using spi_alloc_host() but registers it with devm_spi_register_controller(). If devm_register_restart_handler() fails, the code manually calls spi_controller_put(), but the device core automatically invokes it again upon probe failure, resulting in a double-free of the spi_controller structure. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-02-04.
A local attacker with low privileges can exploit this vulnerability due to its low attack complexity and lack of user interaction requirements. Successful exploitation could lead to high impacts on confidentiality, integrity, and availability, potentially allowing the attacker to cause kernel crashes, memory corruption, or arbitrary code execution through the double-free.
Mitigation involves applying the upstream kernel patches referenced in the stable git commits, such as https://git.kernel.org/stable/c/346775f2b4cf839177e8e86b94aa180a06dc15b0 and others listed. These patches resolve the issue by switching to devm_spi_alloc_host() for allocation and removing the manual spi_controller_put() call, preventing the double-free. Security practitioners should update affected Linux kernels to incorporate these fixes.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5476
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: spi: spi-sprd-adi: Fix double free in probe error path The driver currently uses spi_alloc_host() to allocate the controller but registers it using devm_spi_register_controller(). If devm_register_restart_handler() fails, the code jumps to…
more
the put_ctlr label and calls spi_controller_put(). However, since the controller was registered via a devm function, the device core will automatically call spi_controller_put() again when the probe fails. This results in a double-free of the spi_controller structure. Fix this by switching to devm_spi_alloc_host() and removing the manual spi_controller_put() call.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Double-free in Linux kernel driver enables local privilege escalation via memory corruption and arbitrary code execution (AV:L).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 mandates timely identification, reporting, prioritization, and remediation of flaws like the double-free in the spi-sprd-adi driver by applying upstream kernel patches.
SI-16 enforces memory protection mechanisms that mitigate exploitation of the double-free vulnerability by restricting unauthorized memory access, modification, or disclosure.
CM-7 restricts systems to least functionality by disabling unnecessary kernel drivers such as spi-sprd-adi when not required for hardware, preventing trigger of the probe error path vulnerability.