CVE-2026-23207

MEDIUM EPSS 0.5%
Published Feb 14, 20264mo ago · Modified Jun 17, 20261w ago
4.7 CVSS 3.1
Medium
Find Similar
Published Feb 14, 2026 4mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: spi: tegra210-quad: Protect curr_xfer check in IRQ handler Now that all other accesses to curr_xfer are done under the lock, protect the curr_xfer NULL check in tegra_qspi_isr_thread() with the spinlock. Without this protection, the following race can occur: CPU0 (ISR thread) CPU1 (timeout path) ---------------- ------------------- if (!tqspi->curr_xfer) // sees non-NULL spin_lock() tqspi->curr_xfer = NULL spin_unlock() handle_*_xfer() spin_lock() t = tqspi->curr_xfer // NULL! ... t->len ... // NULL dereference! With this patch, all curr_xfer accesses are now properly synchronized. Although all accesses to curr_xfer are done under the lock, in tegra_qspi_isr_thread() it checks for NULL, releases the lock and reacquires it later in handle_cpu_based_xfer()/handle_dma_based_xfer(). There is a potential for an update in between, which could cause a NULL pointer dereference. To handle this, add a NULL check inside the handlers after acquiring the lock. This ensures that if the timeout path has already cleared curr_xfer, the handler will safely return without dereferencing the NULL pointer.

CVSS Details

Base Score
4.7
Exploitability
1.0
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity High
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
0.5% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 2

CWE-362
CWE-416 Use After Free Memory Safety

Affected Products 14

VendorProductVersionRange
linuxlinux_kernel*≥5.15.198  –  <5.16
linuxlinux_kernel*≥6.1.160  –  <6.2
linuxlinux_kernel*≥6.6.120  –  <6.7
linuxlinux_kernel*≥6.12.63  –  <6.13
linuxlinux_kernel*≥6.17.13  –  <6.18
linuxlinux_kernel*≥6.18.2  –  <6.18.10
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any

References 3

  • git.kernel.org https://git.kernel.org/stable/c/2ac3a105e51496147c0e44e49466eecfcc532d57
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/84e926c1c272a35ddb9b86842d32fa833a60dfc7
  • git.kernel.org https://git.kernel.org/stable/c/edf9088b6e1d6d88982db7eb5e736a0e4fbcc09e
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/2ac3a105e51496147c0e44e49466eecfcc532d57
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/edf9088b6e1d6d88982db7eb5e736a0e4fbcc09e
    Patch