Skip to main content

Linux Kernel EUVDEUVD-2026-27584

| CVE-2026-43087 MEDIUM
2026-05-06 Linux
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Jun 01, 2026 - 20:31 vuln.today
CVSS changed
Jun 01, 2026 - 18:22 NVD
5.5 (MEDIUM)
CVE Published
May 06, 2026 - 07:40 nvd
MEDIUM 5.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

pinctrl: mcp23s08: Disable all pin interrupts during probe

A chip being probed may have the interrupt-on-change feature enabled on some of its pins, for example after a reboot. This can cause the chip to generate interrupts for pins that don't have a registered nested handler, which leads to a kernel crash such as below:

[ 7.928897] Unable to handle kernel read from unreadable memory at virtual address 00000000000000ac [ 7.932314] Mem abort info: [ 7.935081] ESR = 0x0000000096000004 [ 7.938808] EC = 0x25: DABT (current EL), IL = 32 bits [ 7.944094] SET = 0, FnV = 0 [ 7.947127] EA = 0, S1PTW = 0 [ 7.950247] FSC = 0x04: level 0 translation fault [ 7.955101] Data abort info: [ 7.957961] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 7.963421] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 7.968447] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 7.973734] user pgtable: 4k pages, 48-bit VAs, pgdp=00000000089b7000 [ 7.980148] [00000000000000ac] pgd=0000000000000000, p4d=0000000000000000 [ 7.986913] Internal error: Oops: 0000000096000004 [#1] SMP [ 7.992545] Modules linked in: [ 8.073678] CPU: 0 UID: 0 PID: 81 Comm: irq/18-4-0025 Not tainted 7.0.0-rc6-gd2b5a1f931c8-dirty #199 [ 8.073689] Hardware name: Khadas VIM3 (DT) [ 8.073692] pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 8.094639] pc : _raw_spin_lock_irq+0x40/0x80 [ 8.098970] lr : handle_nested_irq+0x2c/0x168 [ 8.098979] sp : ffff800082b2bd20 [ 8.106599] x29: ffff800082b2bd20 x28: ffff800080107920 x27: ffff800080104d88 [ 8.106611] x26: ffff000003298080 x25: 0000000000000001 x24: 000000000000ff00 [ 8.113707] x23: 0000000000000001 x22: 0000000000000000 x21: 000000000000000e [ 8.120850] x20: 0000000000000000 x19: 00000000000000ac x18: 0000000000000000 [ 8.135046] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 [ 8.135062] x14: ffff800081567ea8 x13: ffffffffffffffff x12: 0000000000000000 [ 8.135070] x11: 00000000000000c0 x10: 0000000000000b60 x9 : ffff800080109e0c [ 8.135078] x8 : 1fffe0000069dbc1 x7 : 0000000000000001 x6 : ffff0000034ede00 [ 8.135086] x5 : 0000000000000000 x4 : ffff0000034ede08 x3 : 0000000000000001 [ 8.163460] x2 : 0000000000000000 x1 : 0000000000000001 x0 : 00000000000000ac [ 8.170560] Call trace: [ 8.180094] _raw_spin_lock_irq+0x40/0x80 (P) [ 8.184443] mcp23s08_irq+0x248/0x358 [ 8.184462] irq_thread_fn+0x34/0xb8 [ 8.184470] irq_thread+0x1a4/0x310 [ 8.195093] kthread+0x13c/0x150 [ 8.198309] ret_from_fork+0x10/0x20 [ 8.201850] Code: d65f03c0 d2800002 52800023 f9800011 (885ffc01) [ 8.207931] ---[ end trace 0000000000000000 ]---

This issue has always been present, but has been latent until commit "f9f4fda15e72" ("pinctrl: mcp23s08: init reg_defaults from HW at probe and switch cache type"), which correctly removed reg_defaults from the regmap and as a side effect changed the behavior of the interrupt handler so that the real value of the MCP_GPINTEN register is now being read from the chip instead of using a bogus 0 default value; a non-zero value for this register can trigger the invocation of a nested handler which may not exist (yet). Fix this issue by disabling all pin interrupts during initialization.

AnalysisAI

Kernel crash in the Linux pinctrl mcp23s08 driver triggers a NULL pointer dereference during device probe when an MCP23S08/MCP23008 GPIO expander retains non-zero interrupt-on-change state across a warm reboot. The crash occurs because the driver's IRQ handler fires against pins whose nested IRQ handlers have not yet been registered, causing an unhandled kernel oops and system denial of service. Exploitation is local and device-specific; no public exploit identified at time of analysis, and EPSS remains at 0.02% (5th percentile) consistent with no observed in-the-wild triggering.

Technical ContextAI

The MCP23S08 (SPI) and MCP23008 (I2C) are Microchip GPIO expander ICs managed by the Linux pinctrl-mcp23s08 driver. The chip's MCP_GPINTEN register controls per-pin interrupt-on-change; because this register is stored in the chip's hardware state, it survives a warm reboot without a power-cycle. Prior to commit f9f4fda15e72, the driver's regmap cache defaulted MCP_GPINTEN to zero, masking any live hardware value; that commit correctly switched to reading actual hardware state, which as a side effect exposed the latent bug: a non-zero MCP_GPINTEN causes mcp23s08_irq() to invoke handle_nested_irq() for a handler that has not yet been registered during probe, dereferencing a NULL irq_desc pointer at address 0x00000000000000ac. The fix is to explicitly write zero to MCP_GPINTEN at the start of probe initialization, clearing any stale interrupt-enable bits before the IRQ thread can fire. CPE: cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*. CWE is not formally assigned, but the root cause class is use-before-initialization - specifically, a missing hardware reset of an interrupt-enable register before IRQ infrastructure is prepared.

RemediationAI

Upgrade to Linux kernel 6.19.14 or 7.0, both of which contain the fix that writes zero to MCP_GPINTEN during mcp23s08 probe, preventing stale interrupt-enable bits from triggering the crash. The upstream fix commits are f8c3258541a0680a4ebc08b05b2bc5fdad3288a9 (https://git.kernel.org/stable/c/f8c3258541a0680a4ebc08b05b2bc5fdad3288a9) and db5b8cecbdf479ad13156af750377e5b43853fab (https://git.kernel.org/stable/c/db5b8cecbdf479ad13156af750377e5b43853fab); either can be backported to older stable branches. If patching is not immediately feasible, three compensating controls can prevent the crash: (1) Ensure a hardware power-cycle of the MCP23S08/MCP23008 chip occurs on every system reboot by connecting the chip's reset line to a GPIO toggled in the shutdown sequence - this clears MCP_GPINTEN to zero before the next probe; trade-off is added board design or init-script complexity. (2) Disable use of the chip's interrupt-on-change feature in application firmware, ensuring MCP_GPINTEN remains zero at all times - trade-off is loss of GPIO interrupt capability, requiring polling instead. (3) Blacklist or defer loading of the mcp23s08 kernel module until after a controlled chip reset sequence completes - trade-off is added boot complexity and potential ordering issues with dependent drivers. The kernel patch is strongly preferred as the only durable fix.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-27584 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy