{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22986", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.936Z", "datePublished": "2026-01-23T15:24:07.932Z", "dateUpdated": "2026-05-11T21:57:47.442Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T21:57:47.442Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpiolib: fix race condition for gdev->srcu\n\nIf two drivers were calling gpiochip_add_data_with_key(), one may be\ntraversing the srcu-protected list in gpio_name_to_desc(), meanwhile\nother has just added its gdev in gpiodev_add_to_list_unlocked().\nThis creates a non-mutexed and non-protected timeframe, when one\ninstance is dereferencing and using &gdev->srcu, before the other\nhas initialized it, resulting in crash:\n\n[ 4.935481] Unable to handle kernel paging request at virtual address ffff800272bcc000\n[ 4.943396] Mem abort info:\n[ 4.943400] ESR = 0x0000000096000005\n[ 4.943403] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 4.943407] SET = 0, FnV = 0\n[ 4.943410] EA = 0, S1PTW = 0\n[ 4.943413] FSC = 0x05: level 1 translation fault\n[ 4.943416] Data abort info:\n[ 4.943418] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000\n[ 4.946220] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[ 4.955261] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[ 4.955268] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000038e6c000\n[ 4.961449] [ffff800272bcc000] pgd=0000000000000000\n[ 4.969203] , p4d=1000000039739003\n[ 4.979730] , pud=0000000000000000\n[ 4.980210] phandle (CPU): 0x0000005e, phandle (BE): 0x5e000000 for node \"reset\"\n[ 4.991736] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP\n...\n[ 5.121359] pc : __srcu_read_lock+0x44/0x98\n[ 5.131091] lr : gpio_name_to_desc+0x60/0x1a0\n[ 5.153671] sp : ffff8000833bb430\n[ 5.298440]\n[ 5.298443] Call trace:\n[ 5.298445] __srcu_read_lock+0x44/0x98\n[ 5.309484] gpio_name_to_desc+0x60/0x1a0\n[ 5.320692] gpiochip_add_data_with_key+0x488/0xf00\n 5.946419] ---[ end trace 0000000000000000 ]---\n\nMove initialization code for gdev fields before it is added to\ngpio_devices, with adjacent initialization code.\nAdjust goto statements to reflect modified order of operations\n\n[Bartosz: fixed a build issue, removed stray newline]"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/gpio/gpiolib.c"], "versions": [{"version": "47d8b4c1d868148c8fb51b785a89e58ca2d02c4d", "lessThan": "1ef731547dfd73f466c5d0e52801b97191d4647f", "status": "affected", "versionType": "git"}, {"version": "47d8b4c1d868148c8fb51b785a89e58ca2d02c4d", "lessThan": "fb674c8f1a5d8dd3113a7326030f963fa2d79c02", "status": "affected", "versionType": "git"}, {"version": "47d8b4c1d868148c8fb51b785a89e58ca2d02c4d", "lessThan": "a7ac22d53d0990152b108c3f4fe30df45fcb0181", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/gpio/gpiolib.c"], "versions": [{"version": "6.9", "status": "affected"}, {"version": "0", "lessThan": "6.9", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.83", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.6", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.9", "versionEndExcluding": "6.12.83"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.9", "versionEndExcluding": "6.18.6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.9", "versionEndExcluding": "6.19"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/1ef731547dfd73f466c5d0e52801b97191d4647f"}, {"url": "https://git.kernel.org/stable/c/fb674c8f1a5d8dd3113a7326030f963fa2d79c02"}, {"url": "https://git.kernel.org/stable/c/a7ac22d53d0990152b108c3f4fe30df45fcb0181"}], "title": "gpiolib: fix race condition for gdev->srcu", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "67CADBBA-60A1-4A50-98FF-D6BE31D03858", "versionEndExcluding": "6.18.6", "versionStartIncluding": "6.9", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpiolib: fix race condition for gdev->srcu\n\nIf two drivers were calling gpiochip_add_data_with_key(), one may be\ntraversing the srcu-protected list in gpio_name_to_desc(), meanwhile\nother has just added its gdev in gpiodev_add_to_list_unlocked().\nThis creates a non-mutexed and non-protected timeframe, when one\ninstance is dereferencing and using &gdev->srcu, before the other\nhas initialized it, resulting in crash:\n\n[ 4.935481] Unable to handle kernel paging request at virtual address ffff800272bcc000\n[ 4.943396] Mem abort info:\n[ 4.943400] ESR = 0x0000000096000005\n[ 4.943403] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 4.943407] SET = 0, FnV = 0\n[ 4.943410] EA = 0, S1PTW = 0\n[ 4.943413] FSC = 0x05: level 1 translation fault\n[ 4.943416] Data abort info:\n[ 4.943418] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000\n[ 4.946220] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[ 4.955261] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[ 4.955268] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000038e6c000\n[ 4.961449] [ffff800272bcc000] pgd=0000000000000000\n[ 4.969203] , p4d=1000000039739003\n[ 4.979730] , pud=0000000000000000\n[ 4.980210] phandle (CPU): 0x0000005e, phandle (BE): 0x5e000000 for node \"reset\"\n[ 4.991736] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP\n...\n[ 5.121359] pc : __srcu_read_lock+0x44/0x98\n[ 5.131091] lr : gpio_name_to_desc+0x60/0x1a0\n[ 5.153671] sp : ffff8000833bb430\n[ 5.298440]\n[ 5.298443] Call trace:\n[ 5.298445] __srcu_read_lock+0x44/0x98\n[ 5.309484] gpio_name_to_desc+0x60/0x1a0\n[ 5.320692] gpiochip_add_data_with_key+0x488/0xf00\n 5.946419] ---[ end trace 0000000000000000 ]---\n\nMove initialization code for gdev fields before it is added to\ngpio_devices, with adjacent initialization code.\nAdjust goto statements to reflect modified order of operations\n\n[Bartosz: fixed a build issue, removed stray newline]"}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\ngpiolib: corrige condici\u00f3n de carrera para gdev->srcu\n\nSi dos controladores estaban llamando a gpiochip_add_data_with_key(), uno podr\u00eda estar recorriendo la lista protegida por srcu en gpio_name_to_desc(), mientras tanto, el otro acaba de a\u00f1adir su gdev en gpiodev_add_to_list_unlocked(). Esto crea un marco de tiempo no mutexado y no protegido, cuando una instancia est\u00e1 desreferenciando y usando &gdev->srcu, antes de que la otra lo haya inicializado, resultando en un fallo:\n\n[ 4.935481] Unable to handle kernel paging request at virtual address ffff800272bcc000\n[ 4.943396] Mem abort info:\n[ 4.943400] ESR = 0x0000000096000005\n[ 4.943403] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 4.943407] SET = 0, FnV = 0\n[ 4.943410] EA = 0, S1PTW = 0\n[ 4.943413] FSC = 0x05: level 1 translation fault\n[ 4.943416] Data abort info:\n[ 4.943418] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000\n[ 4.946220] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[ 4.955261] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[ 4.955268] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000038e6c000\n[ 4.961449] [ffff800272bcc000] pgd=0000000000000000\n[ 4.969203] , p4d=1000000039739003\n[ 4.979730] , pud=0000000000000000\n[ 4.980210] phandle (CPU): 0x0000005e, phandle (BE): 0x5e000000 para node \"reset\"\n[ 4.991736] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP\n...\n[ 5.121359] pc : __srcu_read_lock+0x44/0x98\n[ 5.131091] lr : gpio_name_to_desc+0x60/0x1a0\n[ 5.153671] sp : ffff8000833bb430\n[ 5.298440]\n[ 5.298443] Call trace:\n[ 5.298445] __srcu_read_lock+0x44/0x98\n[ 5.309484] gpio_name_to_desc+0x60/0x1a0\n[ 5.320692] gpiochip_add_data_with_key+0x488/0xf00\n 5.946419] ---[ end trace 0000000000000000 ]---\n\nMover el c\u00f3digo de inicializaci\u00f3n para los campos de gdev antes de que sea a\u00f1adido a gpio_devices, con c\u00f3digo de inicializaci\u00f3n adyacente.\nAjustar las sentencias goto para reflejar el orden de operaciones modificado\n\n[Bartosz: se corrigi\u00f3 un problema de compilaci\u00f3n, se elimin\u00f3 una nueva l\u00ednea suelta]"}], "id": "CVE-2026-22986", "lastModified": "2026-04-22T13:16:19.830", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-23T16:15:54.657", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/1ef731547dfd73f466c5d0e52801b97191d4647f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/a7ac22d53d0990152b108c3f4fe30df45fcb0181"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/fb674c8f1a5d8dd3113a7326030f963fa2d79c02"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-362"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: gpiolib: fix race condition for gdev->srcu", "id": "2432390", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2432390"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "details": ["No description is available for this CVE."], "name": "CVE-2026-22986", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Under investigation", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-01-23T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-22986\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-22986\nhttps://lore.kernel.org/linux-cve-announce/2026012349-CVE-2026-22986-5992@gregkh/T"], "threat_severity": "Important"}

{"analysis": {"en": {"generated_at": "2026-04-18T15:13:31.227899+00:00", "value": {"mitigation_remediation": ["Apply a kernel update that includes the gpiolib patch.", "If a kernel update is not possible, disable or unload the GPIO drivers that could trigger the race to prevent crashes during normal operation.", "Review any custom modules that use gpiochip_add_data_with_key to ensure device initialization occurs before list addition or restrict such operations to trusted code.", "Monitor system logs for \u201cUnable to handle kernel paging request\u201d errors and apply patches promptly."], "summary": {"action": "Update Kernel", "impact": "Denial of Service (system crash)"}, "threat_synthesis": {"affected_systems": "All Linux kernel releases that include the vulnerable gpiolib code, specifically the 6.19 release candidates 1 through 4 and earlier unsupported kernels. The fix is delivered in kernel patches that move the initialization of the gdev fields before adding the device to the list. Systems running any kernel version prior to the patch are affected.", "description_and_impact": "A race condition in the Linux kernel gpiolib module can cause a kernel crash when two drivers concurrently call gpiochip_add_data_with_key. One driver may traverse the srcu\u2011protected list while another has just added its device, dereferencing an uninitialized gdev->srcu pointer. The result is a kernel panic, leading to a denial of service that compromises system stability. The flaw is a classic race condition (CWE\u2011362).", "risk_and_exploitability": "The CVSS score is 4.7, indicating moderate severity. The EPSS score is less than 1\u202f%, implying a low likelihood that this flaw will be exploited in the wild. The vulnerability is not listed in the CISA KEV catalog. It is inferred that an attacker would need local or root access to load a driver that triggers the race; it is also inferred that remote exploitation would require privileged interaction. The primary impact is service disruption through a kernel panic."}}}}, "created": "2026-04-18T15:15:03.696177+00:00", "updated": "2026-04-18T15:15:03.696187+00:00", "vendors": []}