Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-53344

CVE-2026-53344: Linux Kernel Use-After-Free Vulnerability

CVE-2026-53344 is a use-after-free vulnerability in the Linux kernel's pinctrl mcp23s08 driver that causes NULL pointer dereference during probe. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-53344 Overview

CVE-2026-53344 is a NULL pointer dereference vulnerability in the Linux kernel's pinctrl: mcp23s08 driver. The flaw occurs during driver probe when regmap initialization triggers regcache_maple_populate(), which attempts an SPI read before mcp->dev and mcp->addr have been assigned. The unset pointers cause a NULL pointer dereference during device probe. The patch reorders initialization so mcp->dev and mcp->addr are populated before mcp23s08_spi_regmap_init() is invoked.

Critical Impact

Local systems using the Microchip MCP23S08 SPI I/O expander driver may crash during driver probe due to a NULL pointer dereference in kernel space.

Affected Products

  • Linux kernel builds containing the pinctrl: mcp23s08 driver prior to the fixing commits
  • Systems using the Microchip MCP23S08 SPI GPIO/pin controller
  • Embedded and IoT platforms depending on the mcp23s08 pinctrl driver

Discovery Timeline

  • 2026-07-01 - CVE-2026-53344 published to NVD
  • 2026-07-01 - Last updated in NVD database

Technical Details for CVE-2026-53344

Vulnerability Analysis

The vulnerability resides in the probe path of the pinctrl: mcp23s08 driver, which supports the Microchip MCP23S08 SPI-attached I/O expander. During driver initialization, the code invokes mcp23s08_spi_regmap_init() to set up the regmap subsystem for register access. Regmap initialization internally calls regcache_maple_populate(), which issues an SPI read to prime the register cache.

The SPI read path relies on two fields in the mcp device structure: mcp->dev and mcp->addr. In the vulnerable code order, these fields remain uninitialized when the SPI read is attempted. Dereferencing the unset mcp->dev pointer results in a kernel NULL pointer dereference and an oops during probe. The class of defect maps to [CWE-476] NULL Pointer Dereference.

Root Cause

The root cause is initialization ordering. The driver invoked regmap setup before assigning mcp->dev and mcp->addr. Because regmap now eagerly populates its cache via SPI I/O during init, the previous ordering became unsafe. The fix moves the assignment of mcp->dev and mcp->addr before the call to mcp23s08_spi_regmap_init().

Attack Vector

This is a local, probe-time kernel defect rather than a remotely reachable flaw. Triggering the condition requires loading the affected driver against MCP23S08 hardware or an equivalent device binding. The impact is availability: a crash of the kernel probe path affecting devices that depend on the driver. No user-controlled input path is documented in the advisory.

No verified public exploit code is available. See the upstream fix commits for the exact code change: Kernel commit 3a13bb95 and Kernel commit 8473c3a1.

Detection Methods for CVE-2026-53344

Indicators of Compromise

  • Kernel oops or panic messages referencing mcp23s08, regcache_maple_populate, or regmap during driver probe
  • Failed device initialization for MCP23S08 SPI I/O expanders in dmesg output
  • Repeated probe failures logged by udev or systemd for the pinctrl-mcp23s08 driver

Detection Strategies

  • Inventory kernel builds and identify systems running versions prior to the fixing commits in the stable tree
  • Audit hardware configurations for boards that bind to the mcp23s08 SPI driver
  • Correlate kernel crash reports with driver probe activity via centralized log collection

Monitoring Recommendations

  • Forward /var/log/kern.log and dmesg output to a centralized logging platform for review of driver oops events
  • Alert on kernel NULL pointer dereference stack traces containing mcp23s08 symbols
  • Track kernel package versions across fleet inventory to confirm patch adoption

How to Mitigate CVE-2026-53344

Immediate Actions Required

  • Apply the upstream Linux kernel stable updates containing commits 3a13bb9540df and 8473c3a197b5
  • Rebuild and redeploy custom kernels that include the pinctrl: mcp23s08 driver
  • Reboot affected systems after patching to ensure the fixed driver is loaded

Patch Information

The fix reorders initialization so mcp->dev and mcp->addr are populated before mcp23s08_spi_regmap_init() is called. Reference the upstream commits 3a13bb9540dfd7014c5601608afcbbadbbcfd673 and 8473c3a197b57ff01396f7a2ec6ddf65383820d4. Distribution vendors typically backport these commits into stable kernel releases.

Workarounds

  • Blacklist the mcp23s08 kernel module on systems that do not require the hardware using /etc/modprobe.d/
  • Remove device tree bindings or ACPI entries that instantiate the MCP23S08 device on non-essential systems
  • Restrict physical and administrative access to systems where the driver must remain loaded until patching completes
bash
# Blacklist the mcp23s08 driver until the patched kernel is deployed
echo "blacklist mcp23s08" | sudo tee /etc/modprobe.d/blacklist-mcp23s08.conf
sudo update-initramfs -u

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.