CVE-2026-46241 Overview
CVE-2026-46241 is a use-after-free vulnerability in the Linux kernel's spi-mpc52xx Serial Peripheral Interface (SPI) controller driver. The flaw occurs when controller registration fails and the driver does not properly disable and free its interrupts before cleanup. This sequence leaves an interrupt handler referencing freed memory, creating a window for a use-after-free condition and a resource leak. The issue was identified during review of a related controller deregistration fix and has been resolved upstream across multiple stable kernel branches.
Critical Impact
A use-after-free in kernel interrupt handling can lead to memory corruption, kernel crashes, or local privilege escalation if exploited during driver initialization failure paths.
Affected Products
- Linux kernel builds containing the spi-mpc52xx driver (Freescale MPC52xx SPI controller)
- Stable kernel branches prior to the fix commits referenced below
- Distributions shipping the MPC52xx PowerPC platform support
Discovery Timeline
- 2026-05-28 - CVE-2026-46241 published to the National Vulnerability Database (NVD)
- 2026-05-28 - Last updated in NVD database
Technical Details for CVE-2026-46241
Vulnerability Analysis
The spi-mpc52xx driver registers a hardware interrupt handler during probe to service the SPI controller. If the subsequent SPI controller registration step fails, the driver's error path returns without disabling the interrupt line or freeing the associated handler. The interrupt remains armed and references driver-private data that the kernel proceeds to free as probe unwinds. A later interrupt firing against this stale context dereferences released memory, producing a use-after-free [CWE-416] in kernel context.
The defect also leaks the IRQ resource itself, leaving an entry bound to a driver instance that no longer exists. The upstream fix reorders the cleanup so that free_irq() runs before the driver-private allocations are released along the failure path.
Root Cause
The root cause is missing teardown in the probe error path of the MPC52xx SPI driver. Interrupt registration occurs before SPI controller registration, but the failure handler for controller registration omits the symmetric free_irq() call. The driver state thus outlives the resource lifetime expected by the kernel interrupt subsystem.
Attack Vector
Triggering this condition requires the registration failure path to execute on a system where the MPC52xx SPI driver is loaded. The flaw is local in nature and tied to driver initialization behavior rather than remote input. Exploitation would depend on inducing the failure condition and racing the freed interrupt handler against allocator reuse of the released memory.
No public proof-of-concept code is referenced in the advisory. Readers should consult the upstream commits for the exact code transformation applied.
Detection Methods for CVE-2026-46241
Indicators of Compromise
- Kernel oops or panic messages referencing mpc52xx_spi symbols during or shortly after module load failure
- KASAN (Kernel Address Sanitizer) reports indicating use-after-free in SPI interrupt handler paths
- Unexpected interrupt activity on IRQ lines associated with an SPI controller that failed to register
Detection Strategies
- Audit running kernel versions on PowerPC MPC52xx-based systems and compare against the fixed stable releases referenced in the upstream commits
- Enable KASAN and lockdep in test builds to surface use-after-free behavior during driver probe failure simulations
- Review dmesg for spi_register_controller failure messages followed by interrupt-related faults
Monitoring Recommendations
- Centralize kernel logs from embedded and industrial Linux assets and alert on driver probe failures involving SPI subsystems
- Track kernel crash dumps from fleet endpoints and correlate stack traces against known SPI driver symbols
- Maintain an inventory of kernel versions deployed across embedded fleets to confirm patch propagation
How to Mitigate CVE-2026-46241
Immediate Actions Required
- Update affected systems to a Linux kernel release that includes the upstream fix commits for the spi-mpc52xx driver
- For custom or vendor kernels, backport the change so that free_irq() is called on the controller registration failure path
- Restrict physical and administrative access to MPC52xx-based devices while patching is scheduled
Patch Information
The fix has been merged into the mainline and stable Linux kernel trees. Refer to the upstream commits: Kernel Git Commit 336d9a, Kernel Git Commit 5c77f1, Kernel Git Commit 8b49b6, and Kernel Git Commit f62c06.
Workarounds
- If the MPC52xx SPI controller is not required, blacklist the spi-mpc52xx module to prevent the vulnerable probe path from executing
- Disable the SPI controller in the device tree on platforms where it is not in use
- Limit local access to trusted operators on systems that cannot be immediately updated
# Configuration example: prevent loading the affected driver until patched
echo 'blacklist spi-mpc52xx' | sudo tee /etc/modprobe.d/cve-2026-46241.conf
sudo update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
