CVE-2026-53344 Overview
CVE-2026-53344 is a NULL pointer dereference vulnerability in the Linux kernel's pinctrl: mcp23s08 driver. The flaw occurs during driver probe when regmap initialization triggers regcache_maple_populate(), which attempts an SPI read before mcp->dev and mcp->addr have been assigned. The unset pointers cause a NULL pointer dereference during device probe. The patch reorders initialization so mcp->dev and mcp->addr are populated before mcp23s08_spi_regmap_init() is invoked.
Critical Impact
Local systems using the Microchip MCP23S08 SPI I/O expander driver may crash during driver probe due to a NULL pointer dereference in kernel space.
Affected Products
- Linux kernel builds containing the pinctrl: mcp23s08 driver prior to the fixing commits
- Systems using the Microchip MCP23S08 SPI GPIO/pin controller
- Embedded and IoT platforms depending on the mcp23s08 pinctrl driver
Discovery Timeline
- 2026-07-01 - CVE-2026-53344 published to NVD
- 2026-07-01 - Last updated in NVD database
Technical Details for CVE-2026-53344
Vulnerability Analysis
The vulnerability resides in the probe path of the pinctrl: mcp23s08 driver, which supports the Microchip MCP23S08 SPI-attached I/O expander. During driver initialization, the code invokes mcp23s08_spi_regmap_init() to set up the regmap subsystem for register access. Regmap initialization internally calls regcache_maple_populate(), which issues an SPI read to prime the register cache.
The SPI read path relies on two fields in the mcp device structure: mcp->dev and mcp->addr. In the vulnerable code order, these fields remain uninitialized when the SPI read is attempted. Dereferencing the unset mcp->dev pointer results in a kernel NULL pointer dereference and an oops during probe. The class of defect maps to [CWE-476] NULL Pointer Dereference.
Root Cause
The root cause is initialization ordering. The driver invoked regmap setup before assigning mcp->dev and mcp->addr. Because regmap now eagerly populates its cache via SPI I/O during init, the previous ordering became unsafe. The fix moves the assignment of mcp->dev and mcp->addr before the call to mcp23s08_spi_regmap_init().
Attack Vector
This is a local, probe-time kernel defect rather than a remotely reachable flaw. Triggering the condition requires loading the affected driver against MCP23S08 hardware or an equivalent device binding. The impact is availability: a crash of the kernel probe path affecting devices that depend on the driver. No user-controlled input path is documented in the advisory.
No verified public exploit code is available. See the upstream fix commits for the exact code change: Kernel commit 3a13bb95 and Kernel commit 8473c3a1.
Detection Methods for CVE-2026-53344
Indicators of Compromise
- Kernel oops or panic messages referencing mcp23s08, regcache_maple_populate, or regmap during driver probe
- Failed device initialization for MCP23S08 SPI I/O expanders in dmesg output
- Repeated probe failures logged by udev or systemd for the pinctrl-mcp23s08 driver
Detection Strategies
- Inventory kernel builds and identify systems running versions prior to the fixing commits in the stable tree
- Audit hardware configurations for boards that bind to the mcp23s08 SPI driver
- Correlate kernel crash reports with driver probe activity via centralized log collection
Monitoring Recommendations
- Forward /var/log/kern.log and dmesg output to a centralized logging platform for review of driver oops events
- Alert on kernel NULL pointer dereference stack traces containing mcp23s08 symbols
- Track kernel package versions across fleet inventory to confirm patch adoption
How to Mitigate CVE-2026-53344
Immediate Actions Required
- Apply the upstream Linux kernel stable updates containing commits 3a13bb9540df and 8473c3a197b5
- Rebuild and redeploy custom kernels that include the pinctrl: mcp23s08 driver
- Reboot affected systems after patching to ensure the fixed driver is loaded
Patch Information
The fix reorders initialization so mcp->dev and mcp->addr are populated before mcp23s08_spi_regmap_init() is called. Reference the upstream commits 3a13bb9540dfd7014c5601608afcbbadbbcfd673 and 8473c3a197b57ff01396f7a2ec6ddf65383820d4. Distribution vendors typically backport these commits into stable kernel releases.
Workarounds
- Blacklist the mcp23s08 kernel module on systems that do not require the hardware using /etc/modprobe.d/
- Remove device tree bindings or ACPI entries that instantiate the MCP23S08 device on non-essential systems
- Restrict physical and administrative access to systems where the driver must remain loaded until patching completes
# Blacklist the mcp23s08 driver until the patched kernel is deployed
echo "blacklist mcp23s08" | sudo tee /etc/modprobe.d/blacklist-mcp23s08.conf
sudo update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

