Description
In the Linux kernel, the following vulnerability has been resolved:

pinctrl: cirrus: cs42l43: Fix double-put in cs42l43_pin_probe()

devm_add_action_or_reset() already invokes the action on failure,
so the explicit put causes a double-put.
Published: 2026-03-25
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Kernel Crash
Action: Apply Patch
AI Analysis

Impact

A double release of a pin controller resource in the cs42l43 driver can trigger a double free in kernel space. This flaw, classified as CWE‑1341 and CWE‑415, compromises kernel stability by causing an unrecoverable error in kernel memory management. The defect does not directly expose data but undermines the operational reliability of the affected host.

Affected Systems

The vulnerability affects Linux kernel versions 6.18 and 7.0 release candidates 1 through 7, as identified by the provided CPE strings. Any installation of the Linux kernel that includes the cirrus cs42l43 pin controller driver and has not incorporated the commit that removes the redundant release is at risk. Users should verify their kernel version against these affected releases to determine if remediation is required.

Risk and Exploitability

The EPSS score of less than 1% indicates a low probability of recent exploitation, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, because the flaw resides in kernel mode, an attacker with local or privilege‑escalation capabilities could trigger a crash that may disrupt availability. The CVSS score of 7.8 indicates high severity, and the potential for a kernel crash suggests significant impact if exploited.

Generated by OpenCVE AI on April 29, 2026 at 01:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes the cs42l43 driver fix.
  • Disable the cirrus cs42l43 pin controller driver in the kernel configuration to prevent the double-put from occurring.
  • If the driver is built as a module, blacklist or unload the module so it cannot load at boot.

Generated by OpenCVE AI on April 29, 2026 at 01:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6238-1 linux security update
History

Fri, 24 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-415
CPEs cpe:2.3:o:linux:linux_kernel:6.18:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 26 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1341
References

Wed, 25 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: pinctrl: cirrus: cs42l43: Fix double-put in cs42l43_pin_probe() devm_add_action_or_reset() already invokes the action on failure, so the explicit put causes a double-put.
Title pinctrl: cirrus: cs42l43: Fix double-put in cs42l43_pin_probe()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-13T06:06:24.953Z

Reserved: 2026-01-13T15:37:46.008Z

Link: CVE-2026-23387

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T11:16:39.123

Modified: 2026-04-24T18:45:08.230

Link: CVE-2026-23387

cve-icon Redhat

Severity :

Publid Date: 2026-03-25T00:00:00Z

Links: CVE-2026-23387 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T02:00:27Z

Weaknesses