CVE-2026-23475 Overview
A Null Pointer Dereference vulnerability has been identified in the Linux kernel's SPI (Serial Peripheral Interface) subsystem. The vulnerability exists in the statistics allocation mechanism where the controller per-cpu statistics is not allocated until after the controller has been registered with the driver core. This creates a race condition window where accessing the sysfs attributes can trigger a NULL-pointer dereference, potentially causing system instability or denial of service.
Critical Impact
Local attackers can exploit this race condition to trigger a kernel NULL-pointer dereference by accessing sysfs attributes during the brief window between controller registration and statistics allocation, potentially causing system crashes or denial of service conditions.
Affected Products
- Linux Kernel (multiple versions affected)
- Systems utilizing SPI controllers with sysfs statistics interfaces
- Embedded systems and devices relying on SPI bus communication
Discovery Timeline
- April 3, 2026 - CVE-2026-23475 published to NVD
- April 7, 2026 - Last updated in NVD database
Technical Details for CVE-2026-23475
Vulnerability Analysis
This vulnerability represents a classic race condition in Linux kernel device initialization. The SPI controller subsystem maintains per-CPU statistics that are exposed through sysfs for monitoring and debugging purposes. The issue arises from the timing of when these statistics structures are allocated relative to when the controller becomes accessible to userspace.
When an SPI controller is registered with the driver core, the device becomes visible in sysfs and its attributes become accessible. However, the per-cpu statistics allocation was previously handled using implicit devres (device-managed resources) which occurred after the registration process. This ordering creates a temporal window where the sysfs attribute handlers could be invoked before the statistics memory has been allocated.
An attacker or even legitimate system processes accessing the statistics attributes during this brief window would cause the kernel to dereference a NULL pointer, resulting in a kernel oops or panic depending on system configuration.
Root Cause
The root cause of this vulnerability is improper resource initialization ordering in the SPI controller registration path. The statistics allocation was deferred using device-managed resources (devres), which are processed after device registration. This created a race condition where:
- The SPI controller is registered with the driver core
- Sysfs attributes become immediately accessible
- Statistics structures are allocated via devres (too late)
The fix addresses this by moving the statistics allocation to occur during controller allocation itself, ensuring the memory is available before any sysfs attributes can be accessed. Additionally, the lifetime of the statistics is now tied directly to the controller structure rather than relying on implicit devres cleanup.
Attack Vector
The attack vector for this vulnerability is local, requiring the attacker to have access to the system's sysfs interface. The exploitation scenario involves:
- Monitoring for SPI controller registration events
- Rapidly accessing the controller's statistics sysfs attributes immediately after registration
- Triggering the NULL-pointer dereference before statistics allocation completes
While this requires precise timing, automated tools could potentially exploit this during system boot or when SPI devices are hot-plugged. The vulnerability mechanism involves the kernel's sysfs attribute show functions attempting to read from the statistics structure before it has been allocated, resulting in a NULL pointer being dereferenced when the access occurs during the vulnerable window.
Detection Methods for CVE-2026-23475
Indicators of Compromise
- Kernel oops or panic messages referencing SPI controller statistics or sysfs handlers
- System crash logs indicating NULL-pointer dereference in the spi subsystem
- Unusual access patterns to /sys/class/spi_master/*/statistics immediately after device registration
- Core dumps or crash reports with backtraces through SPI controller initialization code
Detection Strategies
- Monitor kernel logs for NULL-pointer dereference errors in SPI-related code paths
- Implement auditd rules to track access to SPI controller sysfs attributes during boot
- Deploy kernel-level monitoring to detect rapid sysfs access during device registration
- Review system logs for repeated SPI controller registration failures or crashes
Monitoring Recommendations
- Enable kernel crash reporting and ensure kdump is configured for post-mortem analysis
- Monitor for unusual sysfs access patterns using tools like inotify or eBPF programs
- Set up alerting for kernel oops messages containing spi subsystem references
- Review dmesg output during boot for SPI-related warnings or errors
How to Mitigate CVE-2026-23475
Immediate Actions Required
- Update to a patched Linux kernel version that includes the statistics allocation fix
- If updates are not immediately possible, restrict access to sysfs SPI statistics attributes
- Monitor systems for signs of exploitation attempts or unexpected kernel crashes
- Review and audit any scripts or services that access SPI sysfs attributes during boot
Patch Information
The Linux kernel developers have addressed this vulnerability through multiple commits that move the statistics allocation to controller allocation time. The fix ensures that per-cpu statistics structures are available before the controller is registered with the driver core, eliminating the race condition window.
Patches are available through the kernel.org stable git repositories:
- Kernel Git Commit 118ce77
- Kernel Git Commit 378b295
- Kernel Git Commit 80c5bd0
- Kernel Git Commit dee0774
- Kernel Git Commit df30056
- Kernel Git Commit f13100b
Workarounds
- Restrict access to SPI sysfs directories using filesystem permissions until patching is possible
- Disable unnecessary SPI controller modules if they are not required for system operation
- Implement a boot delay before accessing SPI statistics to allow controller initialization to complete
- Use SELinux or AppArmor policies to limit which processes can access SPI sysfs attributes
# Configuration example - Restrict sysfs SPI statistics access
# Add to system startup scripts or udev rules
chmod 600 /sys/class/spi_master/*/statistics/* 2>/dev/null || true
# Alternatively, use udev rules to set permissions
# Create /etc/udev/rules.d/99-spi-statistics.rules:
# SUBSYSTEM=="spi_master", ATTR{statistics/*}=="*", MODE="0600"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
