CVE-2026-31485
Published: 22 April 2026
Summary
CVE-2026-31485 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Installing upstream kernel patches for CVE-2026-31485 directly remediates the use-after-free vulnerability in the spi-fsl-lpspi driver by correcting the controller registration and teardown order.
Vulnerability scanning identifies the presence of this kernel driver flaw, enabling prioritization and application of specific patches before exploitation.
Kernel memory protections such as KASLR and supervisor-mode execution prevention mitigate exploitation of the use-after-free leading to NULL dereference or potential code execution.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel UAF in spi driver enables privilege escalation (T1068) via freed memory exploitation or DoS via NULL dereference crash (T1499.004); high C/I/A impact supports both.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: spi: spi-fsl-lpspi: fix teardown order issue (UAF) There is a teardown order issue in the driver. The SPI controller is registered using devm_spi_register_controller(), which delays unregistration of the SPI controller…
more
until after the fsl_lpspi_remove() function returns. As the fsl_lpspi_remove() function synchronously tears down the DMA channels, a running SPI transfer triggers the following NULL pointer dereference due to use after free: | fsl_lpspi 42550000.spi: I/O Error in DMA RX | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [...] | Call trace: | fsl_lpspi_dma_transfer+0x260/0x340 [spi_fsl_lpspi] | fsl_lpspi_transfer_one+0x198/0x448 [spi_fsl_lpspi] | spi_transfer_one_message+0x49c/0x7c8 | __spi_pump_transfer_message+0x120/0x420 | __spi_sync+0x2c4/0x520 | spi_sync+0x34/0x60 | spidev_message+0x20c/0x378 [spidev] | spidev_ioctl+0x398/0x750 [spidev] [...] Switch from devm_spi_register_controller() to spi_register_controller() in fsl_lpspi_probe() and add the corresponding spi_unregister_controller() in fsl_lpspi_remove().
Deeper analysisAI
CVE-2026-31485 is a use-after-free vulnerability (CWE-416) in the Linux kernel's spi-fsl-lpspi driver, which manages the Freescale Layerscape LPSPI SPI controller. The flaw stems from an incorrect teardown order during driver removal. The driver registers the SPI controller with devm_spi_register_controller(), delaying unregistration until after fsl_lpspi_remove() completes. However, fsl_lpspi_remove() synchronously tears down DMA channels, which can trigger a NULL pointer dereference if an SPI transfer is active, as evidenced by kernel logs showing errors in fsl_lpspi_dma_transfer and call traces involving spidev ioctls.
A local attacker with low privileges (AV:L/PR:L) can exploit this low-complexity vulnerability (AC:L/UI:N) without user interaction. By initiating an SPI transfer via the spidev interface during driver removal—such as through spidev_message and spidev_ioctl—they can trigger the use-after-free, leading to a kernel NULL pointer dereference at address 0x0000000000000000. The CVSS v3.1 score of 7.8 (C:H/I:H/A:H) indicates potential for high-impact confidentiality, integrity, and availability violations, including system crashes or further exploitation of the freed memory.
Kernel patches in stable repositories address the issue by replacing devm_spi_register_controller() with spi_register_controller() in fsl_lpspi_probe() and adding spi_unregister_controller() in fsl_lpspi_remove(), ensuring proper teardown sequencing. Relevant commits include 15650dfbaeeb, adb25339b661, b341c1176f2e, ca4483f36ac1, and d5d01f24bc6f, published upstream as of April 22, 2026. Security practitioners should update affected Linux kernels promptly.
Details
- CWE(s)