LiveActive security incident?Get immediate response
CVE Record

CVE-2024-26807: spi: cadence-qspi: fix pointer reference in runtime PM hooks

In the Linux kernel, the following vulnerability has been resolved: Both cadence-quadspi ->runtime_suspend() and ->runtime_resume() implementations start with: struct cqspi_st *cqspi = dev_get_drvdata(dev); struct spi_controller *host = dev_get_drvdata(dev); This obviously cannot be correct, unless "struct cqspi_st" is the first member of " struct spi_controller", or the other way around, but it is not the case. "struct spi_controller" is allocated by devm_spi_alloc_host(), which allocates an extra amount of memory for private data, used to store "struct cqspi_st". The ->probe() function of the cadence-quadspi driver then sets the device drvdata to store the address of the "struct cqspi_st" structure. Therefore: struct cqspi_st *cqspi = dev_get_drvdata(dev); is correct, but: struct spi_controller *host = dev_get_drvdata(dev); is not, as it makes "host" point not to a "struct spi_controller" but to the same "struct cqspi_st" structure as above. This obviously leads to bad things (memory corruption, kernel crashes) directly during ->probe(), as ->probe() enables the device using PM runtime, leading the ->runtime_resume() hook being called, which in turns calls spi_controller_resume() with the wrong pointer. This has at least been reported [0] to cause a kernel crash, but the exact behavior will depend on the memory contents. [0] https://lore.kernel.org/all/20240226121803.5a7r5wkpbbowcxgx@dhruva/ This issue potentially affects all platforms that are currently using the cadence-quadspi driver.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

This is a Linux kernel bug in the Cadence QuadSPI flash driver. On systems using that driver, power-management startup can pass the wrong internal pointer, causing memory corruption or a kernel crash during device probing. Evidence points to stability impact on affected platforms with this hardware path, not a broadly internet-facing flaw.

Executive priority

Handle through normal kernel patch governance, with higher priority for products or appliances relying on Cadence QuadSPI storage. There is no cited active exploitation, but crashes during hardware initialization can affect service availability and device reliability.

Technical view

The cadence-quadspi runtime PM hooks incorrectly treat device drvdata as both struct cqspi_st and struct spi_controller. Probe stores cqspi_st, so spi_controller_resume() receives the wrong pointer during runtime resume. The source reports memory corruption and at least one kernel crash, with behavior dependent on memory contents.

Likely exposure

Exposure is likely limited to Linux systems using the cadence-quadspi driver, commonly embedded or SoC platforms with Cadence QuadSPI flash controllers. Systems not building or loading this driver are unlikely to be exposed based on the provided sources.

Exploitation context

The source bundle does not show KEV listing, public exploitation, or a remote attack path. The reported impact occurs during device probing and runtime power-management handling. Treat this as a platform stability and kernel integrity issue unless vendor evidence says otherwise.

Researcher notes

The key condition is drvdata type confusion in runtime PM callbacks, not a generic SPI issue. The CVE text says all platforms using cadence-quadspi may be affected, but exact behavior depends on memory layout and contents. No CVSS, CWE, or exploitability detail is provided.

Mitigation direction

  • Update to a Linux kernel containing the referenced stable fixes.
  • Check distribution advisories, including Debian LTS, for patched kernel packages.
  • Prioritize affected hardware platforms that load cadence-quadspi.
  • If updates are unavailable, seek vendor guidance for safe operational workarounds.

Validation and detection

  • Inventory kernels and confirm whether cadence-quadspi is built or loaded.
  • Compare deployed kernel versions against vendor fixed releases and stable commits.
  • Review boot logs for cadence-quadspi probe failures or kernel crashes.
  • Confirm patched systems boot and exercise QuadSPI flash access normally.
Prepared
Confidence
medium
Sources
7

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2024-26807 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
2ADP providers
6Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CVECVE Program Container
CISA-ADPCISA ADP Vulnrichment
other:ssvc
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux79acf7fb856eade9c3d0cf00fd34a04bf5c43a1c, 2087e85bb66ee3652dafe732bb9b9b896229eafc, 2087e85bb66ee3652dafe732bb9b9b896229eafc, 2087e85bb66ee3652dafe732bb9b9b896229eafc, e3f9fc9a4f1499cc9e1bad4482d377494e367b3d, 6716203844bc8489af5e5564f0fa31e0c094a7ff, b24f1ecc8fe2ceefc14af02edb1744c246d87bf7, d453f25faf681799d636fe9d6899ad91c45aa11e, 18cb554e9da81bc4eca653c17a0d65e8b5835c09, 1368dbc0a432acf9fc0dcb23bfe52d32ca4c09ab, 6.1.28, 4.19.283, 5.4.243, 5.10.180, 5.15.111, 6.2.15, 6.3.2unaffected
LinuxLinux6.4, 0, 6.1.140, 6.6.21, 6.7.9, 6.8affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.