VYPR
← All advisories
Medium severity5.5NVD Advisory· Published May 1, 2026· Updated May 11, 2026

CVE-2026-31783

CVE-2026-31783

Description

In the Linux kernel, the following vulnerability has been resolved:

spi: amlogic: spifc-a4: unregister ECC engine on probe failure and remove() callback

aml_sfc_probe() registers the on-host NAND ECC engine, but teardown was missing from both probe unwind and remove-time cleanup. Add a devm cleanup action after successful registration so nand_ecc_unregister_on_host_hw_engine() runs automatically on probe failures and during device removal.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A missing ECC engine teardown in the Amlogic SPI flash controller driver could lead to resource leaks during probe failure or device removal.

The vulnerability resides in the Amlogic SPI flash controller (spifc-a4) driver within the Linux kernel. During probe (aml_sfc_probe()), the driver registers an on-host NAND ECC engine, and the fix addresses the absence of a corresponding teardown, ensuring nand_ecc_unregister_on_host_hw_engine() is called both on probe failures and during device removal.

Exploitation requires no special privileges; the bug manifests during normal driver loading or unloading sequences. An attacker would need the ability to repeatedly trigger driver probe failures (e.g., via hot-plugging/unplugging or fw-loading) to accumulate leaked resources, potentially degrading system stability.

The impact is primarily resource exhaustion leading to denial of service (CVSS 5.5). An unprivileged local user could cause a system hang by exhausting kernel memory, though there is no evidence of data corruption or privilege escalation.

A patch has been merged into the Linux kernel stable tree (commits tracked in [1][2][3]). Systems running affected kernel versions should apply the update. No workaround exists other than updating the kernel.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

10
  • Linux/Kernel8 versions
    cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 7 more
    • cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=6.18.1,<6.18.22
    • cpe:2.3:o:linux:linux_kernel:6.18:-:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
  • Linux/Linux Kernel Rtllm-fuzzy
  • amlogic/spifc-a4llm-fuzzy

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.