CVE-2026-45996

NameCVE-2026-45996
DescriptionIn the Linux kernel, the following vulnerability has been resolved: spi: imx: fix use-after-free on unbind The SPI subsystem frees the controller and any subsystem allocated driver data as part of deregistration (unless the allocation is device managed). Take another reference before deregistering the controller so that the driver data is not freed until the driver is done with it.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
linux (PTS)bullseye5.10.223-1fixed
bullseye (security)5.10.257-1fixed
bookworm6.1.170-3vulnerable
bookworm (security)6.1.174-1vulnerable
trixie6.12.86-1fixed
trixie (security)6.12.90-2fixed
forky7.0.10-1fixed
sid7.0.12-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
linuxsourcebullseye(not affected)
linuxsourcetrixie6.12.86-1
linuxsource(unstable)7.0.4-1

Notes

[bullseye] - linux <not-affected> (Vulnerable code not present)
https://git.kernel.org/linus/1c78c2002380a1fe31bfb01a3d5f29809e55a096 (7.1-rc1)
Search for package or bug name: Reporting problems