CVE-2026-23387 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

pinctrl: cirrus: cs42l43: Fix double-put in cs42l43_pin_probe()

devm_add_action_or_reset() already invokes the action on failure,
so the explicit put causes a double-put.

Published: 2026-03-25

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A double release of a pin controller resource in the cs42l43 driver can trigger a double free in kernel space. This flaw, classified as CWE-1341, may lead to a kernel panic or timing violation that causes the system to become unavailable. The defect does not directly expose data but undermines the operational stability of the affected host.

Affected Systems

Any installation of the Linux kernel that contains the cirrus cs42l43 pin controller driver and has not incorporated the recent commit that removes the redundant release is affected. Version information is not specified, so users should examine kernel releases against the commit identifying the double‑put resolution to determine applicability.

Risk and Exploitability

The EPSS score of less than 1 % indicates a low probability of recent exploitation, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, because the flaw resides in kernel mode, an attacker with local or privilege‑escalation capabilities could trigger a crash and cause a denial of service. The lack of a formal CVSS score makes severity assessment ambiguous, but the potential for a system‑wide outage suggests high impact if exploited.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`9026f31a520d43cc01eb1c08938fc19efadd78cc`	affected	< 95b14ecc56881dd9a187e1e84dd0daa88ff22c5d
`36f91eeffd03f5c52406e0c4e2e0fb040307d00c`	affected	< 188ba3468cb7c098c62609d82e9fc58d29ead7f4
`9b07cdf86a0b90556f5b68a6b20b35833b558df3`	affected	< ea07fcfbba4301839db3784f09955d9fa3e98090
`9b07cdf86a0b90556f5b68a6b20b35833b558df3`	affected	< 1e0465139fd9caee7ffefe285ef7d5f21919e474
`9b07cdf86a0b90556f5b68a6b20b35833b558df3`	affected	< fd5bed798f45eb3a178ad527b43ab92705faaf8a
`d7adbba9298fd74dde0abed5c93312c08c9e6507`	affected	—

Linux

affected

Version	Status	Constraints
`6.18`	affected	—
`0`	unaffected	< 6.18
`6.6.130`	unaffected	≤ 6.6.*
`6.12.77`	unaffected	≤ 6.12.*
`6.18.17`	unaffected	≤ 6.18.*
`6.19.7`	unaffected	≤ 6.19.*
`7.0-rc3`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[9026f31a520d43cc01eb1c08938fc19efadd78cc,95b14ecc56881dd9a187e1e84dd0daa88ff22c5d)`	affected	code_commit	—
`[36f91eeffd03f5c52406e0c4e2e0fb040307d00c,188ba3468cb7c098c62609d82e9fc58d29ead7f4)`	affected	code_commit	—
`[9b07cdf86a0b90556f5b68a6b20b35833b558df3,ea07fcfbba4301839db3784f09955d9fa3e98090)`	affected	code_commit	—
`[9b07cdf86a0b90556f5b68a6b20b35833b558df3,1e0465139fd9caee7ffefe285ef7d5f21919e474)`	affected	code_commit	—
`[9b07cdf86a0b90556f5b68a6b20b35833b558df3,fd5bed798f45eb3a178ad527b43ab92705faaf8a)`	affected	code_commit	—
`d7adbba9298fd74dde0abed5c93312c08c9e6507`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.18`	affected	generic	—
`[0,6.18)`	unaffected	generic	—
`[6.6.130,6.7.0)`	unaffected	semver	—
`[6.12.77,6.13.0)`	unaffected	semver	—
`[6.18.17,6.19.0)`	unaffected	semver	—
`[6.19.7,6.20.0)`	unaffected	semver	—
`[7.0-rc3,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that includes the fix for the cs42l43 pin controller driver.

Generated by OpenCVE AI on March 26, 2026 at 04:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/188ba3468cb7c098c62609d82e9fc58d29ead7f4
https://git.kernel.org/stable/c/1e0465139fd9caee7ffefe285ef7d5f21919e474
https://git.kernel.org/stable/c/95b14ecc56881dd9a187e1e84dd0daa88ff22c5d
https://git.kernel.org/stable/c/ea07fcfbba4301839db3784f09955d9fa3e98090
https://git.kernel.org/stable/c/fd5bed798f45eb3a178ad527b43ab92705faaf8a
https://lore.kernel.org/linux-cve-announce/2026032544-CVE-2026-23387-4399@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23387
https://www.cve.org/CVERecord?id=CVE-2026-23387

History

Thu, 26 Mar 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-1341
References		https://lore.kernel.org/linux-cve-announce/2026032544-CVE-2026-23387-4399@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23387 https://www.cve.org/CVERecord?id=CVE-2026-23387

Wed, 25 Mar 2026 10:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: pinctrl: cirrus: cs42l43: Fix double-put in cs42l43_pin_probe() devm_add_action_or_reset() already invokes the action on failure, so the explicit put causes a double-put.
Title		pinctrl: cirrus: cs42l43: Fix double-put in cs42l43_pin_probe()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/188ba3468cb7c098c62609d82e9fc58d29ead7f4 https://git.kernel.org/stable/c/1e0465139fd9caee7ffefe285ef7d5f21919e474 https://git.kernel.org/stable/c/95b14ecc56881dd9a187e1e84dd0daa88ff22c5d https://git.kernel.org/stable/c/ea07fcfbba4301839db3784f09955d9fa3e98090 https://git.kernel.org/stable/c/fd5bed798f45eb3a178ad527b43ab92705faaf8a

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-03-25T10:28:05.031Z

Updated: 2026-03-25T10:28:05.031Z

Reserved: 2026-01-13T15:37:46.008Z

Link: CVE-2026-23387

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-03-25T11:16:39.123

Modified: 2026-03-25T15:41:33.977

Link: CVE-2026-23387

Redhat

Severity :

Publid Date: 2026-03-25T00:00:00Z

Links: CVE-2026-23387 - Bugzilla

OpenCVE Enrichment

Updated: 2026-03-26T12:15:29Z

Weaknesses

CWE-1341

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object