Unrated severityNVD Advisory· Published May 8, 2026· Updated May 12, 2026

CVE-2026-43460

Description

In the Linux kernel, the following vulnerability has been resolved:

spi: rockchip-sfc: Fix double-free in remove() callback

The driver uses devm_spi_register_controller() for registration, which automatically unregisters the controller via devm cleanup when the device is removed. The manual call to spi_unregister_controller() in the remove() callback can lead to a double-free.

And to make sure controller is unregistered before DMA buffer is unmapped, switch to use spi_register_controller() in probe().

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

git.kernel.org/stable/c/111e2863372c322e836e0c896f6dd9cf4ee08c71nvd
git.kernel.org/stable/c/85fb53351e6a3b921357a2178671e847a087e400nvd
git.kernel.org/stable/c/b6051f2bdd4bd3dde85b68558edd3a6843489221nvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000