spi: tegra210-quad: Protect curr_xfer in tegra_qspi_combined_seq_xfer
The curr_xfer field is read by the IRQ handler without holding the lock
to check if a transfer is in progress. When clearing curr_xfer in the
combined sequence transfer loop, protect it with the spinlock to prevent
a race with the interrupt handler.
Protect the curr_xfer clearing at the exit path of
tegra_qspi_combined_seq_xfer() with the spinlock to prevent a race
with the interrupt handler that reads this field.
Without this protection, the IRQ handler could read a partially updated
curr_xfer value, leading to NULL pointer dereference or use-after-free.
Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
| Source | ID | Title |
|---|---|---|
Debian DLA |
DLA-4499-1 | linux-6.1 security update |
Debian DSA |
DSA-6141-1 | linux security update |
Debian DSA |
DSA-6163-1 | linux security update |
Ubuntu USN |
USN-8100-1 | Linux kernel (NVIDIA) vulnerabilities |
Ubuntu USN |
USN-8163-1 | Linux kernel (Azure FIPS) vulnerabilities |
Ubuntu USN |
USN-8163-2 | Linux kernel (Azure) vulnerabilities |
Ubuntu USN |
USN-8278-1 | Linux kernel vulnerabilities |
Ubuntu USN |
USN-8296-1 | Linux kernel (FIPS) vulnerabilities |
Ubuntu USN |
USN-8296-2 | Linux kernel (NVIDIA Tegra) vulnerabilities |
Ubuntu USN |
USN-8278-2 | Linux kernel (Azure) vulnerabilities |
Thu, 11 Jun 2026 19:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Thu, 19 Mar 2026 16:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-476 | |
| CPEs | cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:* |
|
| Metrics |
cvssV3_1
|
cvssV3_1
|
Tue, 17 Feb 2026 00:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| References |
| |
| Metrics |
threat_severity
|
cvssV3_1
|
Sat, 14 Feb 2026 16:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | In the Linux kernel, the following vulnerability has been resolved: spi: tegra210-quad: Protect curr_xfer in tegra_qspi_combined_seq_xfer The curr_xfer field is read by the IRQ handler without holding the lock to check if a transfer is in progress. When clearing curr_xfer in the combined sequence transfer loop, protect it with the spinlock to prevent a race with the interrupt handler. Protect the curr_xfer clearing at the exit path of tegra_qspi_combined_seq_xfer() with the spinlock to prevent a race with the interrupt handler that reads this field. Without this protection, the IRQ handler could read a partially updated curr_xfer value, leading to NULL pointer dereference or use-after-free. | |
| Title | spi: tegra210-quad: Protect curr_xfer in tegra_qspi_combined_seq_xfer | |
| First Time appeared |
Linux
Linux linux Kernel |
|
| CPEs | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Linux
Linux linux Kernel |
|
| References |
|
|
Status: PUBLISHED
Assigner: Linux
Published:
Updated: 2026-06-11T18:44:10.001Z
Reserved: 2026-01-13T15:37:45.986Z
Link: CVE-2026-23202
Updated: 2026-06-11T17:38:07.604Z
Status : Analyzed
Published: 2026-02-14T17:15:58.050
Modified: 2026-06-17T10:21:05.447
Link: CVE-2026-23202
OpenCVE Enrichment
Updated: 2026-04-18T12:15:15Z
Debian DLA
Debian DSA
Ubuntu USN