CVE-2026-23475Access of Uninitialized Pointer in Linux

CWE-824Access of Uninitialized Pointer6 documents6 sources
Severity
5.5MEDIUM
No vector
EPSS
0.0%
top 90.94%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
LinuxLinux KernelDebian Linux
Timeline
PublishedApr 3

Description

In the Linux kernel, the following vulnerability has been resolved: spi: fix statistics allocation The controller per-cpu statistics is not allocated until after the controller has been registered with driver core, which leaves a window where accessing the sysfs attributes can trigger a NULL-pointer dereference. Fix this by moving the statistics allocation to controller allocation while tying its lifetime to that of the controller (rather than using implicit devres).

Affected Packages3 packages

Debianlinux/linux_kernel< 6.19.10-1
CVEListV5linux/linux6598b91b5ac32bc756d7c3000a31f775d4ead1c480c5bd0dca1cc5526ae0f4b273ccd163ed4caa4e+6
debiandebian/linux< linux 6.19.10-1 (forky)

🔴Vulnerability Details

2
GHSA
GHSA-p23v-v2wc-73m3: In the Linux kernel, the following vulnerability has been resolved: spi: fix statistics allocation The controller per-cpu statistics is not allocate2026-04-03
OSV
CVE-2026-23475: In the Linux kernel, the following vulnerability has been resolved: spi: fix statistics allocation The controller per-cpu statistics is not allocated2026-04-03

📋Vendor Advisories

2
Red Hat
kernel: spi: fix statistics allocation2026-04-03
Debian
CVE-2026-23475: linux - In the Linux kernel, the following vulnerability has been resolved: spi: fix st...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-23475 Impact, Exploitability, and Mitigation Steps | Wiz