CVE-2026-23202

Summary

In the Linux kernel, the following vulnerability has been resolved:

spi: tegra210-quad: Protect curr_xfer in tegra_qspi_combined_seq_xfer

The curr_xfer field is read by the IRQ handler without holding the lock to check if a transfer is in progress. When clearing curr_xfer in the combined sequence transfer loop, protect it with the spinlock to prevent a race with the interrupt handler.

Protect the curr_xfer clearing at the exit path of tegra_qspi_combined_seq_xfer() with the spinlock to prevent a race with the interrupt handler that reads this field.

Without this protection, the IRQ handler could read a partially updated curr_xfer value, leading to NULL pointer dereference or use-after-free.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux88db8bb7ed1bb474618acdf05ebd4f0758d244e2 < 9fa4262a80f751d14a6a39d2c03f57db68da2618affected
LinuxLinux83309dd551cfd60a5a1a98d9cab19f435b44d46d < 762e2ce71c8f0238e9eaf05d14da803d9a24422faffected
LinuxLinuxc934e40246da2c5726d14e94719c514e30840df8 < 712cde8d916889e282727cdf304a43683adf899eaffected
LinuxLinux551060efb156c50fe33799038ba8145418cfdeef < 6fd446178a610a48e80e5c5b487b0707cd01daacaffected
LinuxLinux01bbf25c767219b14c3235bfa85906b8d2cb8fbc < 3bc293d5b56502068481478842f57b3d96e432c7affected
LinuxLinuxb4e002d8a7cee3b1d70efad0e222567f92a73000 < bf4528ab28e2bf112c3a2cdef44fd13f007781cdaffected
LinuxLinuxbb0c58be84f907285af45657c1d4847b960a12bfaffected
LinuxLinux6.17.13 < 6.18affected
LinuxLinux5.15.198 < 5.15.200affected
LinuxLinux6.1.160 < 6.1.163affected
LinuxLinux6.6.120 < 6.6.124affected
LinuxLinux6.12.63 < 6.12.70affected
LinuxLinux6.18.2 < 6.18.10affected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References