Unrated severityNVD Advisory· Published May 28, 2026

CVE-2026-46241

Description

In the Linux kernel, the following vulnerability has been resolved:

spi: mpc52xx: fix use-after-free on registration failure

Make sure to disable and free the interrupts in case controller registration fails to avoid a potential use-after-free and resource leak.

This issue was flagged by Sashiko when reviewing a controller deregistration fix.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In the Linux kernel's mpc52xx SPI driver, a use-after-free and resource leak occur when controller registration fails because interrupts are not disabled and freed.

Vulnerability

The Linux kernel's spi: mpc52xx driver contains a vulnerability where a failure during controller registration does not disable and free the interrupts that were previously requested. This can lead to a use-after-free condition and a resource leak. The issue is present in the versions of the kernel that include the faulty code path. The exact affected version range is not explicitly stated in the provided references, but the fix commits indicate it affects the stable kernel trees. The vulnerability was flagged by Sashiko during a review of a controller deregistration fix [1][2][3][4].

Exploitation

To exploit this vulnerability, an attacker would need to trigger a registration failure of the SPI controller. This could potentially be achieved by a local attacker with the ability to load or unload the mpc52xx SPI driver, or by forcing an error condition during the driver's initialization. The attacker does not require network access or special privileges beyond the ability to interact with the kernel's device model. The sequence of steps involves causing the controller registration to fail after interrupts have been enabled, leading to the use-after-free when the driver's resources are later accessed without proper cleanup [1].

Impact

Successful exploitation of this use-after-free vulnerability could lead to a denial of service (system crash or kernel panic) or potentially allow an attacker to escalate privileges if the freed memory is reused in a controlled manner. The impact primarily affects the availability and integrity of the system, as the use-after-free can corrupt kernel memory [1]. The privilege level of the compromise is local, with the attacker requiring some ability to influence driver initialization.

Mitigation

The fix for this vulnerability is available in the Linux kernel stable repositories. The commits 8b49b6aadd0c, 5c77f11b9b5f, f62c060272b9, and 336d9ad7560b address the issue by ensuring interrupts are properly disabled and freed on registration failure [1][2][3][4]. Users should apply the latest kernel updates from their distribution. No workaround is available without patching the kernel. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.

References

AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Ubuntu/Linux Kernelllm-fuzzy

Patches

8b49b6aadd0c

spi: mpc52xx: fix use-after-free on registration failure

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitJohan HovoldApr 21, 2026Fixed in 6.12.90via kernel-cna

commit

2 files changed · +6 −2

drivers/spi/spi-mpc52xx.c+3 −1 modified

diff --git a/drivers/spi/spi-mpc52xx.c b/drivers/spi/spi-mpc52xx.c
index 159f359d7501aa..8bc634bd40ab80 100644
--- a/drivers/spi/spi-mpc52xx.c
+++ b/drivers/spi/spi-mpc52xx.c
@@ -501,6 +501,9 @@ static int mpc52xx_spi_probe(struct platform_device *op)
 
  err_register:
 	dev_err(&ms->host->dev, "initialization failed\n");
+	free_irq(ms->irq0, ms);
+	free_irq(ms->irq1, ms);
+	cancel_work_sync(&ms->work);
  err_gpio:
 	while (i-- > 0)
 		gpiod_put(ms->gpio_cs[i]);
-- 
cgit 1.3-korg

drivers/spi/spi-mpc52xx.c+3 −1 modified

diff --git a/drivers/spi/spi-mpc52xx.c b/drivers/spi/spi-mpc52xx.c
index 159f359d7501aa..8bc634bd40ab80 100644
--- a/drivers/spi/spi-mpc52xx.c
+++ b/drivers/spi/spi-mpc52xx.c
@@ -501,6 +501,9 @@ static int mpc52xx_spi_probe(struct platform_device *op)
 
  err_register:
 	dev_err(&ms->host->dev, "initialization failed\n");
+	free_irq(ms->irq0, ms);
+	free_irq(ms->irq1, ms);
+	cancel_work_sync(&ms->work);
  err_gpio:
 	while (i-- > 0)
 		gpiod_put(ms->gpio_cs[i]);
-- 
cgit 1.3-korg

336d9ad7560b

spi: mpc52xx: fix use-after-free on registration failure

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitJohan HovoldApr 21, 2026Fixed in 6.18.32via kernel-cna

commit

2 files changed · +6 −2

drivers/spi/spi-mpc52xx.c+3 −1 modified

diff --git a/drivers/spi/spi-mpc52xx.c b/drivers/spi/spi-mpc52xx.c
index 6d4dde15ac5451..b022688221fa54 100644
--- a/drivers/spi/spi-mpc52xx.c
+++ b/drivers/spi/spi-mpc52xx.c
@@ -501,6 +501,9 @@ static int mpc52xx_spi_probe(struct platform_device *op)
 
  err_register:
 	dev_err(&ms->host->dev, "initialization failed\n");
+	free_irq(ms->irq0, ms);
+	free_irq(ms->irq1, ms);
+	cancel_work_sync(&ms->work);
  err_gpio:
 	while (i-- > 0)
 		gpiod_put(ms->gpio_cs[i]);
-- 
cgit 1.3-korg

drivers/spi/spi-mpc52xx.c+3 −1 modified

diff --git a/drivers/spi/spi-mpc52xx.c b/drivers/spi/spi-mpc52xx.c
index 6d4dde15ac5451..b022688221fa54 100644
--- a/drivers/spi/spi-mpc52xx.c
+++ b/drivers/spi/spi-mpc52xx.c
@@ -501,6 +501,9 @@ static int mpc52xx_spi_probe(struct platform_device *op)
 
  err_register:
 	dev_err(&ms->host->dev, "initialization failed\n");
+	free_irq(ms->irq0, ms);
+	free_irq(ms->irq1, ms);
+	cancel_work_sync(&ms->work);
  err_gpio:
 	while (i-- > 0)
 		gpiod_put(ms->gpio_cs[i]);
-- 
cgit 1.3-korg

5c77f11b9b5f

spi: mpc52xx: fix use-after-free on registration failure

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitJohan HovoldApr 21, 2026Fixed in 7.0.9via kernel-cna

commit

2 files changed · +6 −2

drivers/spi/spi-mpc52xx.c+3 −1 modified

diff --git a/drivers/spi/spi-mpc52xx.c b/drivers/spi/spi-mpc52xx.c
index 05bbd3795e7d80..afef72896e65e7 100644
--- a/drivers/spi/spi-mpc52xx.c
+++ b/drivers/spi/spi-mpc52xx.c
@@ -498,6 +498,9 @@ static int mpc52xx_spi_probe(struct platform_device *op)
 
  err_register:
 	dev_err(&ms->host->dev, "initialization failed\n");
+	free_irq(ms->irq0, ms);
+	free_irq(ms->irq1, ms);
+	cancel_work_sync(&ms->work);
  err_gpio:
 	while (i-- > 0)
 		gpiod_put(ms->gpio_cs[i]);
-- 
cgit 1.3-korg

drivers/spi/spi-mpc52xx.c+3 −1 modified

diff --git a/drivers/spi/spi-mpc52xx.c b/drivers/spi/spi-mpc52xx.c
index 05bbd3795e7d80..afef72896e65e7 100644
--- a/drivers/spi/spi-mpc52xx.c
+++ b/drivers/spi/spi-mpc52xx.c
@@ -498,6 +498,9 @@ static int mpc52xx_spi_probe(struct platform_device *op)
 
  err_register:
 	dev_err(&ms->host->dev, "initialization failed\n");
+	free_irq(ms->irq0, ms);
+	free_irq(ms->irq1, ms);
+	cancel_work_sync(&ms->work);
  err_gpio:
 	while (i-- > 0)
 		gpiod_put(ms->gpio_cs[i]);
-- 
cgit 1.3-korg

f62c060272b9

spi: mpc52xx: fix use-after-free on registration failure

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitJohan HovoldApr 21, 2026Fixed in 7.1-rc1via kernel-cna

commit

2 files changed · +6 −2

drivers/spi/spi-mpc52xx.c+3 −1 modified

diff --git a/drivers/spi/spi-mpc52xx.c b/drivers/spi/spi-mpc52xx.c
index c8c8e6bdf421dd..924d820448fb4a 100644
--- a/drivers/spi/spi-mpc52xx.c
+++ b/drivers/spi/spi-mpc52xx.c
@@ -498,6 +498,9 @@ static int mpc52xx_spi_probe(struct platform_device *op)
 
  err_register:
 	dev_err(&ms->host->dev, "initialization failed\n");
+	free_irq(ms->irq0, ms);
+	free_irq(ms->irq1, ms);
+	cancel_work_sync(&ms->work);
  err_gpio:
 	while (i-- > 0)
 		gpiod_put(ms->gpio_cs[i]);
-- 
cgit 1.3-korg

drivers/spi/spi-mpc52xx.c+3 −1 modified

diff --git a/drivers/spi/spi-mpc52xx.c b/drivers/spi/spi-mpc52xx.c
index c8c8e6bdf421dd..924d820448fb4a 100644
--- a/drivers/spi/spi-mpc52xx.c
+++ b/drivers/spi/spi-mpc52xx.c
@@ -498,6 +498,9 @@ static int mpc52xx_spi_probe(struct platform_device *op)
 
  err_register:
 	dev_err(&ms->host->dev, "initialization failed\n");
+	free_irq(ms->irq0, ms);
+	free_irq(ms->irq1, ms);
+	cancel_work_sync(&ms->work);
  err_gpio:
 	while (i-- > 0)
 		gpiod_put(ms->gpio_cs[i]);
-- 
cgit 1.3-korg

8b49b6aadd0c

spi: mpc52xx: fix use-after-free on registration failure

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitJohan HovoldApr 21, 2026via nvd-ref

commit

2 files changed · +6 −2

drivers/spi/spi-mpc52xx.c+3 −1 modified

diff --git a/drivers/spi/spi-mpc52xx.c b/drivers/spi/spi-mpc52xx.c
index 159f359d7501aa..8bc634bd40ab80 100644
--- a/drivers/spi/spi-mpc52xx.c
+++ b/drivers/spi/spi-mpc52xx.c
@@ -501,6 +501,9 @@ static int mpc52xx_spi_probe(struct platform_device *op)
 
  err_register:
 	dev_err(&ms->host->dev, "initialization failed\n");
+	free_irq(ms->irq0, ms);
+	free_irq(ms->irq1, ms);
+	cancel_work_sync(&ms->work);
  err_gpio:
 	while (i-- > 0)
 		gpiod_put(ms->gpio_cs[i]);
-- 
cgit 1.3-korg

drivers/spi/spi-mpc52xx.c+3 −1 modified

diff --git a/drivers/spi/spi-mpc52xx.c b/drivers/spi/spi-mpc52xx.c
index 159f359d7501aa..8bc634bd40ab80 100644
--- a/drivers/spi/spi-mpc52xx.c
+++ b/drivers/spi/spi-mpc52xx.c
@@ -501,6 +501,9 @@ static int mpc52xx_spi_probe(struct platform_device *op)
 
  err_register:
 	dev_err(&ms->host->dev, "initialization failed\n");
+	free_irq(ms->irq0, ms);
+	free_irq(ms->irq1, ms);
+	cancel_work_sync(&ms->work);
  err_gpio:
 	while (i-- > 0)
 		gpiod_put(ms->gpio_cs[i]);
-- 
cgit 1.3-korg

f62c060272b9

spi: mpc52xx: fix use-after-free on registration failure

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitJohan HovoldApr 21, 2026via nvd-ref

commit

2 files changed · +6 −2

drivers/spi/spi-mpc52xx.c+3 −1 modified

diff --git a/drivers/spi/spi-mpc52xx.c b/drivers/spi/spi-mpc52xx.c
index c8c8e6bdf421dd..924d820448fb4a 100644
--- a/drivers/spi/spi-mpc52xx.c
+++ b/drivers/spi/spi-mpc52xx.c
@@ -498,6 +498,9 @@ static int mpc52xx_spi_probe(struct platform_device *op)
 
  err_register:
 	dev_err(&ms->host->dev, "initialization failed\n");
+	free_irq(ms->irq0, ms);
+	free_irq(ms->irq1, ms);
+	cancel_work_sync(&ms->work);
  err_gpio:
 	while (i-- > 0)
 		gpiod_put(ms->gpio_cs[i]);
-- 
cgit 1.3-korg

drivers/spi/spi-mpc52xx.c+3 −1 modified

diff --git a/drivers/spi/spi-mpc52xx.c b/drivers/spi/spi-mpc52xx.c
index c8c8e6bdf421dd..924d820448fb4a 100644
--- a/drivers/spi/spi-mpc52xx.c
+++ b/drivers/spi/spi-mpc52xx.c
@@ -498,6 +498,9 @@ static int mpc52xx_spi_probe(struct platform_device *op)
 
  err_register:
 	dev_err(&ms->host->dev, "initialization failed\n");
+	free_irq(ms->irq0, ms);
+	free_irq(ms->irq1, ms);
+	cancel_work_sync(&ms->work);
  err_gpio:
 	while (i-- > 0)
 		gpiod_put(ms->gpio_cs[i]);
-- 
cgit 1.3-korg

5c77f11b9b5f

spi: mpc52xx: fix use-after-free on registration failure

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitJohan HovoldApr 21, 2026via nvd-ref

commit

2 files changed · +6 −2

drivers/spi/spi-mpc52xx.c+3 −1 modified

diff --git a/drivers/spi/spi-mpc52xx.c b/drivers/spi/spi-mpc52xx.c
index 05bbd3795e7d80..afef72896e65e7 100644
--- a/drivers/spi/spi-mpc52xx.c
+++ b/drivers/spi/spi-mpc52xx.c
@@ -498,6 +498,9 @@ static int mpc52xx_spi_probe(struct platform_device *op)
 
  err_register:
 	dev_err(&ms->host->dev, "initialization failed\n");
+	free_irq(ms->irq0, ms);
+	free_irq(ms->irq1, ms);
+	cancel_work_sync(&ms->work);
  err_gpio:
 	while (i-- > 0)
 		gpiod_put(ms->gpio_cs[i]);
-- 
cgit 1.3-korg

drivers/spi/spi-mpc52xx.c+3 −1 modified

diff --git a/drivers/spi/spi-mpc52xx.c b/drivers/spi/spi-mpc52xx.c
index 05bbd3795e7d80..afef72896e65e7 100644
--- a/drivers/spi/spi-mpc52xx.c
+++ b/drivers/spi/spi-mpc52xx.c
@@ -498,6 +498,9 @@ static int mpc52xx_spi_probe(struct platform_device *op)
 
  err_register:
 	dev_err(&ms->host->dev, "initialization failed\n");
+	free_irq(ms->irq0, ms);
+	free_irq(ms->irq1, ms);
+	cancel_work_sync(&ms->work);
  err_gpio:
 	while (i-- > 0)
 		gpiod_put(ms->gpio_cs[i]);
-- 
cgit 1.3-korg

336d9ad7560b

spi: mpc52xx: fix use-after-free on registration failure

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitJohan HovoldApr 21, 2026via nvd-ref

commit

2 files changed · +6 −2

drivers/spi/spi-mpc52xx.c+3 −1 modified

diff --git a/drivers/spi/spi-mpc52xx.c b/drivers/spi/spi-mpc52xx.c
index 6d4dde15ac5451..b022688221fa54 100644
--- a/drivers/spi/spi-mpc52xx.c
+++ b/drivers/spi/spi-mpc52xx.c
@@ -501,6 +501,9 @@ static int mpc52xx_spi_probe(struct platform_device *op)
 
  err_register:
 	dev_err(&ms->host->dev, "initialization failed\n");
+	free_irq(ms->irq0, ms);
+	free_irq(ms->irq1, ms);
+	cancel_work_sync(&ms->work);
  err_gpio:
 	while (i-- > 0)
 		gpiod_put(ms->gpio_cs[i]);
-- 
cgit 1.3-korg

drivers/spi/spi-mpc52xx.c+3 −1 modified

diff --git a/drivers/spi/spi-mpc52xx.c b/drivers/spi/spi-mpc52xx.c
index 6d4dde15ac5451..b022688221fa54 100644
--- a/drivers/spi/spi-mpc52xx.c
+++ b/drivers/spi/spi-mpc52xx.c
@@ -501,6 +501,9 @@ static int mpc52xx_spi_probe(struct platform_device *op)
 
  err_register:
 	dev_err(&ms->host->dev, "initialization failed\n");
+	free_irq(ms->irq0, ms);
+	free_irq(ms->irq1, ms);
+	cancel_work_sync(&ms->work);
  err_gpio:
 	while (i-- > 0)
 		gpiod_put(ms->gpio_cs[i]);
-- 
cgit 1.3-korg

Vulnerability mechanics

Root cause

"Missing cleanup of interrupts and workqueue in the error path of mpc52xx_spi_probe() when SPI controller registration fails."

Attack vector

An attacker does not directly trigger this bug; it is a driver-probe-time error-handling flaw. If the SPI controller registration call (e.g. devm_spi_register_controller) fails in the mpc52xx_spi_probe() function, the previously requested IRQs (ms->irq0, ms->irq1) remain registered and the workqueue (ms->work) remains active. After the probe function returns failure, the device memory may be freed, but the registered interrupt handlers and scheduled work can still execute, leading to a use-after-free condition [patch_id=2897473].

Affected code

The vulnerable code is in the mpc52xx_spi_probe() function in drivers/spi/spi-mpc52xx.c. The error label err_register previously only printed an error message and fell through to err_gpio, without freeing the two IRQs (ms->irq0, ms->irq1) or cancelling the workqueue (ms->work) [patch_id=2897473].

What the fix does

The patch adds three cleanup calls at the err_register label in mpc52xx_spi_probe(): free_irq(ms->irq0, ms), free_irq(ms->irq1, ms), and cancel_work_sync(&ms->work) [patch_id=2897473]. These ensure that when controller registration fails, the previously registered interrupts are freed and any pending work is cancelled before the device resources are released, closing the use-after-free window and preventing a resource leak.

Preconditions

inputThe SPI controller registration (e.g. devm_spi_register_controller) must fail during probe of the mpc52xx-spi driver.

Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000