2439908 – (CVE-2026-23202) CVE-2026-23202 kernel: spi: tegra210-quad: Protect curr_xfer in tegra_qspi_combined_seq_xfer

Bug 2439908 (CVE-2026-23202) - CVE-2026-23202 kernel: spi: tegra210-quad: Protect curr_xfer in tegra_qspi_combined_seq_xfer

Summary: CVE-2026-23202 kernel: spi: tegra210-quad: Protect curr_xfer in tegra_qspi_co...

Keywords:
Status:	NEW
Alias:	CVE-2026-23202
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-02-14 17:02 UTC by OSIDB Bzimport
Modified:	2026-02-16 23:16 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-02-14 17:02:32 UTC

In the Linux kernel, the following vulnerability has been resolved:

spi: tegra210-quad: Protect curr_xfer in tegra_qspi_combined_seq_xfer

The curr_xfer field is read by the IRQ handler without holding the lock
to check if a transfer is in progress. When clearing curr_xfer in the
combined sequence transfer loop, protect it with the spinlock to prevent
a race with the interrupt handler.

Protect the curr_xfer clearing at the exit path of
tegra_qspi_combined_seq_xfer() with the spinlock to prevent a race
with the interrupt handler that reads this field.

Without this protection, the IRQ handler could read a partially updated
curr_xfer value, leading to NULL pointer dereference or use-after-free.

Comment 1 Alexander B 2026-02-16 17:11:19 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026021437-CVE-2026-23202-0480@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.