Linux Kernel Double Free, CVE-2026-23068 (Medium)

Listen to this Post

In the Linux kernel, a vulnerability was found in the SPI SPRD ADI driver, specifically in how it handles errors during the device probe process. The driver originally allocated a SPI controller using spi_alloc_host(). It then registered this controller with the device management framework using devm_spi_register_controller(), which ensures resources are automatically cleaned up if the probe fails later. The issue arose in the error path: if a subsequent function, devm_register_restart_handler(), failed, the code would jump to a label and manually call `spi_controller_put()` to release the controller. However, because the controller was registered with a `devm_` (managed device) function, the kernel’s device resource management core was already set to automatically release the controller if the probe failed. This resulted in two separate calls to free the same `spi_controller` structure, leading to a double-free. This type of memory corruption can cause a system crash or be potentially exploitable for other malicious purposes. The fix was to replace the manual allocation with devm_spi_alloc_host(), which ties the controller’s lifecycle entirely to the device’s management, and to remove the manual `spi_controller_put()` call from the error path, preventing the double-free.

DailyCVE Form:

Platform: Linux Kernel
Version: 4.17 to 6.19-rc6
Vulnerability: Double free
Severity: Medium
date: Feb 4 2026

Prediction: Patched Feb 2026

What Undercode Say:

Analytics:

This vulnerability resides in the SPI (Serial Peripheral Interface) driver for Spreadtrum ADI (Accessory Die Interface). The issue was introduced in kernel version 4.17 by commit `ac1775012058` and fixed in multiple stable updates, including 6.6.122, 6.12.68, and 6.19-rc7. The CVSS 3.1 base score is 4.4 (Medium), with a vector of CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H, indicating a local attack with high privileges required that impacts availability. Major distributions like Debian, Ubuntu, and SUSE have released or are preparing advisories (DSA-6126, DSA-6127, DLA-4476) to address this flaw. The vulnerability is specific to systems using the Spreadtrum ADI hardware and the respective kernel driver, not a generic SPI subsystem issue.

Bash Commands and Code:

Check your current kernel version
uname -r
Check if your kernel is affected by the introduced commit
(Introduced in 4.17, check if your version is >= 4.17 and not patched)
Example for Debian/Ubuntu to see if a fix is available:
apt-cache policy linux-image-$(uname -r)
To see the fix commit
git show 383d4f5cffcc
The vulnerable code pattern (before fix) in drivers/spi/spi-sprd-adi.c
sprd_adi_probe(struct platform_device pdev)
{
ctlr = spi_alloc_host(&pdev->dev, sizeof(struct sprd_adi));
...
ret = devm_spi_register_controller(&pdev->dev, ctlr);
...
ret = devm_register_restart_handler(...);
if (ret)
goto put_ctlr;
...
put_ctlr:
spi_controller_put(ctlr); // <-- The double-free call
return ret;
}
The fixed code pattern (after fix)
sprd_adi_probe(struct platform_device pdev)
{
ctlr = devm_spi_alloc_host(&pdev->dev, sizeof(struct sprd_adi)); // Changed
...
ret = devm_spi_register_controller(&pdev->dev, ctlr);
...
ret = devm_register_restart_handler(...);
if (ret)
return ret; // Direct return, no manual put
...
}

Exploit:

The vulnerability is triggered only in a specific error path during kernel driver initialization. An attacker would need:
1. High Privileges: The ability to load or influence the probing of the specific SPI driver (spi-sprd-adi).
2. Trigger the Error Condition: The attack would involve causing `devm_register_restart_handler()` to fail. This could potentially be achieved by manipulating system resources or state to make the registration function return an error.
3. Result: Upon the probe failure, the kernel would execute the double-free, leading to a potential crash (denial of service). In specific memory layouts, this could potentially be leveraged for arbitrary code execution, though the primary and most immediate impact is system instability.

Protection from this CVE:

  1. Apply Kernel Updates: The primary and most effective protection is to update the Linux kernel to a version containing the fix. This includes versions 6.19-rc7 and later, or specific stable backports like 6.6.122, 6.12.68, and 6.18.8.
  2. Distribution Patches: Users of enterprise or LTS distributions should install the specific kernel updates provided by their vendor (e.g., Debian’s 6.1.162-1, Ubuntu’s updates for HWE kernels).
  3. Backporting: If an immediate update is not possible, system administrators can manually backport the commit `383d4f5cffcc` to their kernel source and recompile, though this is not recommended by the kernel community due to the complexity and potential for introducing other issues.
  4. Mitigation: There is no known kernel configuration or sysctl workaround to disable this specific driver without impacting hardware functionality. The only mitigation is to ensure the vulnerable code is not executed, which is achieved by updating the kernel.

Impact:

A successful exploit of CVE-2026-23068 leads to a double-free condition in the kernel memory. The most immediate and likely impact is a kernel panic (system crash), resulting in a denial of service. This makes the system unreliable and unavailable. While less likely, memory corruption bugs of this nature can sometimes be refined to corrupt kernel structures and lead to privilege escalation, allowing an attacker with local access and high privileges to gain even greater control over the system. The vulnerability is specific to systems using the affected Spreadtrum hardware.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top