spmi: mediatek: Fix UAF on device remove
Description
A use-after-free in Mediatek SPMI driver occurs when the device is removed, because the clocks are freed after the controller memory.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A use-after-free in Mediatek SPMI driver occurs when the device is removed, because the clocks are freed after the controller memory.
Vulnerability
The Mediatek SPMI (System Power Management Interface) driver (spmi: mediatek) in the Linux kernel before the fix commit 521f28eedd6b contains a use-after-free (UAF) vulnerability during device removal. The pmif driver data, which includes clock references obtained via clk_bulk_get(), is allocated as part of the spmi_controller structure. On device removal, the spmi_controller is freed first, and then devres releases the clocks. This causes a use-after-free when putting the clocks because the driver data containing the clock pointers is already deallocated [1]. The issue affects configurations where the kernel is built with DEBUG_TEST_DRIVER_REMOVE and KASAN enabled, but the race condition exists generically. The affected versions include kernels prior to the stable fix commit [1].
Exploitation
An attacker would need the ability to trigger device removal on a Mediatek system using this SPMI driver. This could be achieved through physical removal of the device, or more realistically, via a controlled driver unbind operation (e.g., echo ... > /sys/bus/platform/drivers/.../unbind). The exploitation requires no authentication beyond local access to the kernel's driver management interfaces. The sequence involves: (1) the driver removal path begins, (2) spmi_controller is freed, (3) the devres cleanup then attempts to release the clocks, accessing the freed memory [1]. The race window is minimal but deterministic due to the order of operations in the driver's remove callback.
Impact
A successful exploit results in a use-after-free condition, which can lead to memory corruption, kernel crash (denial of service), or potentially privilege escalation if an attacker can control the freed memory contents. The attacker gains the ability to corrupt kernel heap memory, which may allow further compromise. The scope is limited to systems using the Mediatek SPMI driver with the vulnerable kernel version.
Mitigation
The fix is available in the Linux kernel stable tree as commit 521f28eedd6b ("spmi: mediatek: Fix UAF on device remove") [1]. Users should apply this patch or update to a kernel version that includes the fix. The commit changes the driver to use unmanaged clk_bulk_get() and explicitly puts the clocks before freeing spmi_controller [1]. No workaround is available for unpatched kernels; the vulnerability is not listed on CISA's KEV as of the publication date. The fix was released on 2024-03-06.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
6- osv-coords4 versionspkg:deb/ubuntu/linux-aws@6.5.0-1021.21?arch=source&distro=manticpkg:deb/ubuntu/linux-laptop@6.5.0-1017.20?arch=source&distro=manticpkg:deb/ubuntu/linux-oem-6.5pkg:deb/ubuntu/linux-oracle@6.5.0-1024.24?arch=source&distro=mantic
< 6.5.0-1021.21+ 3 more
- (no CPE)range: < 6.5.0-1021.21
- (no CPE)range: < 6.5.0-1017.20
- (no CPE)range: < 6.5.0-1022.23
- (no CPE)range: < 6.5.0-1024.24
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.