CVE-2025-68746
Description
In the Linux kernel, the following vulnerability has been resolved:
spi: tegra210-quad: Fix timeout handling
When the CPU that the QSPI interrupt handler runs on (typically CPU 0) is excessively busy, it can lead to rare cases of the IRQ thread not running before the transfer timeout is reached.
While handling the timeouts, any pending transfers are cleaned up and the message that they correspond to is marked as failed, which leaves the curr_xfer field pointing at stale memory.
To avoid this, clear curr_xfer to NULL upon timeout and check for this condition when the IRQ thread is finally run.
While at it, also make sure to clear interrupts on failure so that new interrupts can be run.
A better, more involved, fix would move the interrupt clearing into a hard IRQ handler. Ideally we would also want to signal that the IRQ thread no longer needs to be run after the timeout is hit to avoid the extra check for a valid transfer.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A race condition in the Linux kernel's Tegra210 QSPI driver can cause a use-after-free when a timeout occurs before the interrupt handler runs.
Vulnerability
Overview
In the Linux kernel's spi-tegra210-quad driver, a race condition exists between the transfer timeout and the interrupt handler. When the CPU handling the QSPI interrupt (typically CPU 0) is excessively busy, the interrupt handler may not run before the transfer timeout is reached. The timeout cleanup marks the pending message as failed and frees associated memory, but the driver's curr_xfer pointer is left pointing to stale memory. This can lead to a use-after-free if the interrupt handler subsequently accesses that pointer.
Exploitation
An attacker would need to trigger a QSPI transfer on a system where the interrupt-handling CPU is heavily loaded, causing the interrupt handler to be delayed past the timeout. No special privileges are required beyond-normal privileges are required; the vulnerability can be triggered by legitimate SPI operations under high system load. The race window is narrow, making exploitation difficult but not impossible.
Impact
If the race is successfully triggered, the interrupt handler may dereference a freed curr_xfer pointer, leading to memory corruption or a kernel crash (denial of service). In theory, this could be leveraged for privilege escalation, but the description does not provide evidence of such exploitation.
Mitigation
The fix, applied to multiple stable kernel branches including 5.10, 5.15, 6.1, and 6.6 stable trees [1][2][3][4], clears curr_xfer to NULL upon timeout and adds a check in the interrupt handler to abort if curr_xfer is NULL. It also ensures interrupts are cleared on failure. Users should update to the latest stable kernels or backport the patches.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- git.kernel.org/stable/c/01bbf25c767219b14c3235bfa85906b8d2cb8fbcnvd
- git.kernel.org/stable/c/551060efb156c50fe33799038ba8145418cfdeefnvd
- git.kernel.org/stable/c/83309dd551cfd60a5a1a98d9cab19f435b44d46dnvd
- git.kernel.org/stable/c/88db8bb7ed1bb474618acdf05ebd4f0758d244e2nvd
- git.kernel.org/stable/c/b4e002d8a7cee3b1d70efad0e222567f92a73000nvd
- git.kernel.org/stable/c/bb0c58be84f907285af45657c1d4847b960a12bfnvd
- git.kernel.org/stable/c/c934e40246da2c5726d14e94719c514e30840df8nvd
News mentions
0No linked articles in our index yet.