Linux Kernel Vulnerability in SPI Controller by Vendor
CVE-2026-31489

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 22 April 2026

What is CVE-2026-31489?

A resource management issue has been identified in the Linux kernel's SPI controller subsystem, specifically relating to the meson-spicc driver. The vulnerability arises from a double reference decrement when removing the SPI controller, resulting in an inadvertent double-put error. This happens because meson_spicc_probe() registers the controller using devm_spi_register_controller(), which automatically manages controller references. However, an additional call to spi_controller_put() in meson_spicc_remove() can lead to resource mismanagement, potentially causing crashes or stability issues in the kernel.

Affected Version(s)

Linux 8311ee2164c5cd1b63a601ea366f540eae89f10e < 40ad0334c17b23d8b66b1082ad1478a6202e90e2

Linux 8311ee2164c5cd1b63a601ea366f540eae89f10e

Linux 8311ee2164c5cd1b63a601ea366f540eae89f10e < 9b812ceb75a6260c17c91db4b9e74ead8cfa06f5

References

https://git.kernel.org/stable/c/40ad0334c17b23d8b66b1082a...

https://git.kernel.org/stable/c/da06a104f0486355073ff0d1b...

https://git.kernel.org/stable/c/9b812ceb75a6260c17c91db4b...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 22, 2026
Vulnerability Reserved
Mar 9, 2026

CVE-2026-31489 Data

JSON