CVE-2026-31389

In the Linux kernel's SPI subsystem, when registering a controller, if the allocation of per-CPU statistics fails, the driver core is not properly deregistered, leading to a use-after-free condition. This occurs because the error path does not call the necessary cleanup routines, leaving stale references to freed driver resources [1][2].

Exploitation requires a local attacker with the ability to trigger the specific failure condition during SPI controller registration. The vulnerability is not remotely exploitable and requires system access. The attack surface is limited to systems where SPI controllers are dynamically registered and where memory allocation can be forced to fail [3].

An attacker who successfully triggers this use-after-free could execute arbitrary code or cause a denial of service. The freed memory may be reused, leading to potential privilege escalation or system instability. Additionally, unclocked register accesses could corrupt hardware state [4].

The fix is included in the Linux kernel stable tree with the referenced commits. Users should update to a patched kernel version. There are no known workarounds other than applying the patch.