CVE-2026-43460 Overview
CVE-2026-43460 is a double-free vulnerability in the Linux kernel spi-rockchip-sfc driver. The driver registers its SPI controller using devm_spi_register_controller(), which automatically unregisters the controller through the device-managed (devm) cleanup path when the device is removed. The remove() callback then makes an additional manual call to spi_unregister_controller(), producing a double-free condition. Maintainers resolved the issue by switching the probe path to spi_register_controller() so that controller unregistration occurs before the DMA buffer is unmapped.
Critical Impact
Local triggering of the double-free during device removal can corrupt kernel memory structures and destabilize systems using Rockchip Serial Flash Controller hardware.
Affected Products
- Linux kernel versions containing the spi-rockchip-sfc driver prior to the fix commits
- Systems using Rockchip Serial Flash Controller (SFC) hardware
- Distributions shipping the affected upstream stable kernel branches
Discovery Timeline
- 2026-05-08 - CVE-2026-43460 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-43460
Vulnerability Analysis
The spi-rockchip-sfc driver manages the Rockchip Serial Flash Controller used to interface with SPI NOR flash devices. During probe, the driver registers the SPI controller using the device-managed helper devm_spi_register_controller(). The devm framework records this registration and automatically invokes the corresponding unregister routine when the device is torn down.
The driver's remove() callback also directly calls spi_unregister_controller() on the same controller. When the device is removed, the manual call executes first, releasing the controller's resources. The devm cleanup then runs a second unregistration on already-freed structures, producing a double-free [CWE-415].
A secondary correctness issue motivated the same patch. The driver unmaps its DMA buffer during teardown, but the devm-driven unregister ordering could allow the controller to remain active after the DMA buffer is released. Switching to spi_register_controller() in probe gives the driver explicit control over teardown ordering.
Root Cause
The root cause is duplicated cleanup logic. Using devm_spi_register_controller() transfers ownership of unregistration to the devm subsystem. Retaining the manual spi_unregister_controller() call in remove() violates the devm contract and causes the same resource to be released twice.
Attack Vector
Triggering the flaw requires the device removal path to execute on a system with the affected driver bound to Rockchip SFC hardware. Local attackers with the ability to unbind the driver, unload the module, or initiate device hot-removal can reach the vulnerable code. Successful exploitation produces kernel memory corruption that typically results in a denial of service, with potential for further impact depending on heap state at the time of the second free.
No verified public proof-of-concept code is available. See the upstream fix commits for the precise code change: kernel.org commit 111e2863, kernel.org commit 85fb5335, and kernel.org commit b6051f2b.
Detection Methods for CVE-2026-43460
Indicators of Compromise
- Kernel oops or panic messages referencing spi_unregister_controller, rockchip_sfc, or SLUB double-free warnings during module unload or device removal.
- KASAN reports flagging double-free or use-after-free conditions in the SPI subsystem on Rockchip platforms.
- Unexpected SPI flash access failures or storage subsystem instability following driver unbind operations.
Detection Strategies
- Audit installed kernel package versions against the fixed upstream stable releases referenced in the kernel.org commits.
- Enable KASAN and SLUB debugging on test builds to surface the double-free during driver removal testing.
- Monitor dmesg and persistent kernel logs for SPI subsystem errors correlated with device hot-removal events.
Monitoring Recommendations
- Forward kernel logs from Rockchip-based devices to a centralized logging platform and alert on panic, oops, and KASAN signatures.
- Track module load and unload events for spi-rockchip-sfc to identify abnormal driver lifecycle activity.
- Include affected kernel versions in vulnerability management scans and inventory reports for embedded and edge fleets.
How to Mitigate CVE-2026-43460
Immediate Actions Required
- Identify hosts and embedded devices running kernels with the unpatched spi-rockchip-sfc driver, particularly Rockchip-based platforms.
- Apply the upstream stable kernel updates that include the three fix commits referenced by the NVD entry.
- Restrict the ability to unbind kernel drivers or hot-remove devices to privileged administrative accounts only.
Patch Information
The fix replaces devm_spi_register_controller() with spi_register_controller() in the probe path and removes redundant unregistration logic, ensuring the controller is unregistered before the DMA buffer is unmapped. The patch is available in upstream Linux stable trees via the commits 111e2863372c, 85fb53351e6a, and b6051f2bdd4b. Consume the fix through your distribution's kernel updates.
Workarounds
- Avoid unbinding or unloading the spi-rockchip-sfc driver on production systems until the patched kernel is deployed.
- Where the SPI flash controller is not required, blacklist the spi-rockchip-sfc module to prevent the vulnerable code path from being reachable.
- Limit physical and administrative access to affected devices to reduce the opportunity to trigger driver removal.
# Verify running kernel version and check for the rockchip-sfc driver
uname -r
lsmod | grep spi_rockchip_sfc
# Optional: blacklist the module until patched kernel is installed
echo 'blacklist spi_rockchip_sfc' | sudo tee /etc/modprobe.d/cve-2026-43460.conf
sudo update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
