Linux Kernel Out-of-Bounds Array Access Vulnerability in SPI Cadence Component

Vulnerability

A vulnerability in the Linux kernel's SPI Cadence component allows for out-of-bounds array access in the function 'cdns_mrvl_xspi_setup_clock()'. When the requested clock exceeds 128, the function improperly iterates through the entire clock division list array without an early exit, causing the index to exceed the array bounds. This flaw has been addressed by modifying the loop to stop at the last entry and by clamping the clock to a minimum of 6.25 MHz. The vulnerability also triggered a warning in the UBSAN kernel regarding an unexpected end of the function's text section.

Impact

Exploitation of this vulnerability could lead to out-of-bounds memory access, potentially causing undefined behavior such as memory corruption.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

9.0

impact

2.5

exploitability

4.0

remediation

0.0

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

9.0

impact

2.5

exploitability

4.0

remediation

0.0

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Linux Kernel Out-of-Bounds Array Access Vulnerability in SPI Cadence Component

Vulnerability

Impact

Affected Products

Linux kernel

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating