CVE-2026-43087
Awaiting Analysis Awaiting Analysis - Queue
Kernel Crash Due to Unhandled Pin Interrupts in MCP23S08

Publication date: 2026-05-06

Last updated on: 2026-05-06

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: pinctrl: mcp23s08: Disable all pin interrupts during probe A chip being probed may have the interrupt-on-change feature enabled on some of its pins, for example after a reboot. This can cause the chip to generate interrupts for pins that don't have a registered nested handler, which leads to a kernel crash such as below: [ 7.928897] Unable to handle kernel read from unreadable memory at virtual address 00000000000000ac [ 7.932314] Mem abort info: [ 7.935081] ESR = 0x0000000096000004 [ 7.938808] EC = 0x25: DABT (current EL), IL = 32 bits [ 7.944094] SET = 0, FnV = 0 [ 7.947127] EA = 0, S1PTW = 0 [ 7.950247] FSC = 0x04: level 0 translation fault [ 7.955101] Data abort info: [ 7.957961] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 7.963421] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 7.968447] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 7.973734] user pgtable: 4k pages, 48-bit VAs, pgdp=00000000089b7000 [ 7.980148] [00000000000000ac] pgd=0000000000000000, p4d=0000000000000000 [ 7.986913] Internal error: Oops: 0000000096000004 [#1] SMP [ 7.992545] Modules linked in: [ 8.073678] CPU: 0 UID: 0 PID: 81 Comm: irq/18-4-0025 Not tainted 7.0.0-rc6-gd2b5a1f931c8-dirty #199 [ 8.073689] Hardware name: Khadas VIM3 (DT) [ 8.073692] pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 8.094639] pc : _raw_spin_lock_irq+0x40/0x80 [ 8.098970] lr : handle_nested_irq+0x2c/0x168 [ 8.098979] sp : ffff800082b2bd20 [ 8.106599] x29: ffff800082b2bd20 x28: ffff800080107920 x27: ffff800080104d88 [ 8.106611] x26: ffff000003298080 x25: 0000000000000001 x24: 000000000000ff00 [ 8.113707] x23: 0000000000000001 x22: 0000000000000000 x21: 000000000000000e [ 8.120850] x20: 0000000000000000 x19: 00000000000000ac x18: 0000000000000000 [ 8.135046] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 [ 8.135062] x14: ffff800081567ea8 x13: ffffffffffffffff x12: 0000000000000000 [ 8.135070] x11: 00000000000000c0 x10: 0000000000000b60 x9 : ffff800080109e0c [ 8.135078] x8 : 1fffe0000069dbc1 x7 : 0000000000000001 x6 : ffff0000034ede00 [ 8.135086] x5 : 0000000000000000 x4 : ffff0000034ede08 x3 : 0000000000000001 [ 8.163460] x2 : 0000000000000000 x1 : 0000000000000001 x0 : 00000000000000ac [ 8.170560] Call trace: [ 8.180094] _raw_spin_lock_irq+0x40/0x80 (P) [ 8.184443] mcp23s08_irq+0x248/0x358 [ 8.184462] irq_thread_fn+0x34/0xb8 [ 8.184470] irq_thread+0x1a4/0x310 [ 8.195093] kthread+0x13c/0x150 [ 8.198309] ret_from_fork+0x10/0x20 [ 8.201850] Code: d65f03c0 d2800002 52800023 f9800011 (885ffc01) [ 8.207931] ---[ end trace 0000000000000000 ]--- This issue has always been present, but has been latent until commit "f9f4fda15e72" ("pinctrl: mcp23s08: init reg_defaults from HW at probe and switch cache type"), which correctly removed reg_defaults from the regmap and as a side effect changed the behavior of the interrupt handler so that the real value of the MCP_GPINTEN register is now being read from the chip instead of using a bogus 0 default value; a non-zero value for this register can trigger the invocation of a nested handler which may not exist (yet). Fix this issue by disabling all pin interrupts during initialization.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-05-06
Generated
2026-05-07
AI Q&A
2026-05-06
EPSS Evaluated
N/A
NVD
CVE-2026-43087
EUVD
EUVD-2026-27584
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's pinctrl driver for the MCP23S08 chip. When the chip is probed during initialization, it may have the interrupt-on-change feature enabled on some pins from a previous state, such as after a reboot. This causes the chip to generate interrupts for pins that do not have a registered nested interrupt handler, leading to a kernel crash due to an attempt to handle an interrupt that the kernel is not prepared for.

The issue became apparent after a specific commit changed how the MCP_GPINTEN register value is read, causing the kernel to read the actual hardware value instead of assuming a default zero. If this register has a non-zero value, it can trigger nested interrupt handlers that may not exist yet, resulting in a crash. The fix involves disabling all pin interrupts during the chip's initialization to prevent these unexpected interrupts.


How can this vulnerability impact me? :

This vulnerability can cause the Linux kernel to crash unexpectedly during the initialization of the MCP23S08 chip driver. Such a kernel crash (kernel panic) can lead to system instability, downtime, and potential loss of data or service availability. Systems relying on this driver for hardware interaction may experience interruptions or failures, impacting reliability and uptime.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability manifests as a kernel crash related to the mcp23s08 pinctrl driver when interrupts are generated for pins without a registered nested handler.

To detect this issue on your system, you can check the kernel logs for error messages similar to the following indicative crash trace:

  • Look for kernel messages containing "Unable to handle kernel read from unreadable memory at virtual address 00000000000000ac" or "Internal error: Oops" related to irq/18-4-0025 or mcp23s08_irq.
  • Use the command: dmesg | grep -i 'mcp23s08' to filter kernel messages related to the vulnerable driver.
  • Check for recent kernel oops or panic logs with: journalctl -k | grep -i 'Oops' or journalctl -k | grep -i 'mcp23s08'.

What immediate steps should I take to mitigate this vulnerability?

The vulnerability is fixed by disabling all pin interrupts during the probe (initialization) of the mcp23s08 chip in the Linux kernel.

Immediate mitigation steps include:

  • Update your Linux kernel to a version that includes the fix from commit "f9f4fda15e72" or later, which disables pin interrupts during initialization.
  • If updating the kernel is not immediately possible, consider rebooting the system to clear any enabled interrupt-on-change features on the chip pins.
  • Monitor kernel logs for crashes and avoid using the affected hardware or driver until patched.

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart