Listen to this Post
Use-After-Free (UAF)
CVE-2026-46200 (Medium)
The vulnerability arises in the `spi-mpc52xx` driver of the Linux kernel. During driver unbind, the `mpc52xx_spi_remove()` function incorrectly tears down resources: it first disables interrupts and releases GPIO pins, and only afterward calls spi_unregister_controller(). This leaves the SPI controller registered with the kernel’s device model while its supporting resources are already freed. Any later access—even a benign `lsmod` or a malicious call—can attempt to use those freed resources. This improper teardown order effectively creates a classic use-after-free (UAF) bug.
An attacker with local access and the ability to unload the kernel module (e.g., via rmmod) could trigger the flaw. After the driver is removed, a subsequent SPI operation—either from another kernel thread or a userspace program—might try to interact with the controller. Because the controller remains registered, the kernel will attempt to use the freed `spi_master` structure. This leads to memory corruption, a kernel panic, or, under carefully controlled conditions, arbitrary code execution with kernel privileges. The bug is tracked as CWE-459 (Incomplete Cleanup) and CWE-416 (Use After Free). It requires local access and low privileges (ability to load/unload modules) to exploit.
The issue was introduced in Linux kernel version 2.6.33 with the first commit of the `spi-mpc52xx` driver. It affects all kernel versions from 2.6.33 up to and including the early 6.18 series. The fix has been backported to stable trees. Red Hat Enterprise Linux distributions are not affected (RHEL6/7/8/9/10).
DailyCVE Form:
Platform: Linux Kernel
Version: 2.6.33–6.18
Vulnerability : Use After Free
Severity: Medium
date: 2026-05-28
Prediction: June 2026
What Undercode Say:
Analytics on the `mpc52xx` teardown order can be performed with the following bash commands and code snippets.
Check if the vulnerable driver is loaded lsmod | grep mpc52xx Show kernel version (affected: < 6.12.90, < 6.18.32, < 7.0.9) uname -r Manually trigger the bug (requires root) modprobe -r spi_mpc52xx lsmod | grep mpc52xx should show '0' and still registered
// Code snippet from the faulty driver (simplified)
static int mpc52xx_spi_remove(struct platform_device op)
{
struct mpc52xx_spi ms = dev_get_drvdata(&op->dev);
// BUG: free resources BEFORE unregistering the controller
free_irq(ms->irq, ms);
gpio_free(ms->gpio_cs);
iounmap(ms->regs);
spi_unregister_master(ms->master); // too late – UAF
return 0;
}
Correct teardown sequence (fixed patch)
from commit a3669f678d0ee8b686d3eea4c0ed9817c9374945
diff --git a/drivers/spi/spi-mpc52xx.c b/drivers/spi/spi-mpc52xx.c
a/drivers/spi/spi-mpc52xx.c
+++ b/drivers/spi/spi-mpc52xx.c
@@ -447,12 +447,12 @@ static int mpc52xx_spi_remove(struct platform_device op)
{
struct mpc52xx_spi ms = dev_get_drvdata(&op->dev);
+ spi_unregister_master(ms->master); // move up
free_irq(ms->irq, ms);
gpio_free(ms->gpio_cs);
iounmap(ms->regs);
kfree(ms);
<h2>kfree(ms->master);</h2>
return 0;
}
Exploit:
A local attacker can craft a small kernel module that, after the vulnerable driver is removed, calls `spi_write()` on the still‑registered controller. This causes the kernel to dereference the freed `spi_master` structure, leading to a use‑after‑free. While arbitrary code execution is theoretically possible, the complexity is high; the most practical outcome is a kernel panic (denial of service). Example pseudocode:
/ Trigger UAF after mpc52xx_spi_remove() /
struct spi_master master = spi_busnum_to_master(0);
if (master) {
// master->private_data is already freed
spi_write(master, ...); // -> crash
}
Protection:
- Patch the kernel – Apply the fix from upstream commit `a3669f678d0ee8b686d3eea4c0ed9817c9374945` (or any of the backported commits).
- Blacklist the driver – Prevent the `spi_mpc52xx` module from loading automatically:
echo "blacklist spi_mpc52xx" >> /etc/modprobe.d/blacklist.conf
- Disable SPI support – If the SPI controller is not needed, disable `CONFIG_SPI_MPC52XX` in the kernel configuration.
- Restrict module loading – Use `sysctl` to disallow loading of kernel modules entirely:
sysctl -w kernel.modules_disabled=1
Impact:
- System instability – A kernel panic crashes the system, leading to denial of service.
- Memory corruption – Freed pointers may be reused, potentially allowing arbitrary kernel memory writes.
- Privilege escalation – Under rare, highly controlled conditions, an attacker might achieve code execution in kernel context, bypassing normal security boundaries.
- Local only – The attack requires local access and the ability to load/unload kernel modules (i.e., root or sudo privileges).
- Embedded systems – The MPC52xx SoC is common in industrial, automotive, and networking gear; these devices are often physically exposed and may run untrusted code, increasing the real‑world risk.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
