CVE-2026-22986 in Linux
Summary
by MITRE • 01/23/2026
In the Linux kernel, the following vulnerability has been resolved:
gpiolib: fix race condition for gdev->srcu
If two drivers were calling gpiochip_add_data_with_key(), one may be traversing the srcu-protected list in gpio_name_to_desc(), meanwhile other has just added its gdev in gpiodev_add_to_list_unlocked(). This creates a non-mutexed and non-protected timeframe, when one instance is dereferencing and using &gdev->srcu, before the other has initialized it, resulting in crash:
[ 4.935481] Unable to handle kernel paging request at virtual address ffff800272bcc000
[ 4.943396] Mem abort info:
[ 4.943400] ESR = 0x0000000096000005
[ 4.943403] EC = 0x25: DABT (current EL), IL = 32 bits
[ 4.943407] SET = 0, FnV = 0
[ 4.943410] EA = 0, S1PTW = 0
[ 4.943413] FSC = 0x05: level 1 translation fault
[ 4.943416] Data abort info:
[ 4.943418] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000
[ 4.946220] CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[ 4.955261] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[ 4.955268] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000038e6c000
[ 4.961449] [ffff800272bcc000] pgd=0000000000000000
[ 4.969203] , p4d=1000000039739003
[ 4.979730] , pud=0000000000000000
[ 4.980210] phandle (CPU): 0x0000005e, phandle (BE): 0x5e000000 for node "reset"
[ 4.991736] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP
... [ 5.121359] pc : __srcu_read_lock+0x44/0x98
[ 5.131091] lr : gpio_name_to_desc+0x60/0x1a0
[ 5.153671] sp : ffff8000833bb430
[ 5.298440]
[ 5.298443] Call trace:
[ 5.298445] __srcu_read_lock+0x44/0x98
[ 5.309484] gpio_name_to_desc+0x60/0x1a0
[ 5.320692] gpiochip_add_data_with_key+0x488/0xf00
5.946419] ---[ end trace 0000000000000000 ]---
Move initialization code for gdev fields before it is added to gpio_devices, with adjacent initialization code. Adjust goto statements to reflect modified order of operations
[Bartosz: fixed a build issue, removed stray newline]
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 05/18/2026
The vulnerability identified as CVE-2026-22986 resides within the Linux kernel's GPIO (General Purpose Input/Output) subsystem, specifically in the gpiolib component responsible for managing GPIO chip drivers. This issue manifests as a race condition that occurs during the dynamic addition of GPIO chips through the gpiochip_add_data_with_key() function. The core problem emerges when multiple drivers attempt to register GPIO chips concurrently, creating a temporal window where one thread accesses a structure member before another has properly initialized it. This particular race condition affects the srcu (Sleepable Read-Copy Update) field within the gpio device structure, leading to potential kernel crashes due to invalid memory access patterns.
The technical flaw stems from the improper ordering of initialization operations within the GPIO device registration process. When gpiochip_add_data_with_key() is invoked, it performs several operations including adding the gpio device to a global list and initializing various internal fields. However, the srcu field initialization occurs after the device is added to the list, creating a window where other threads calling gpio_name_to_desc() may attempt to traverse the srcu-protected list while the srcu structure itself remains uninitialized. This scenario directly violates the fundamental principles of concurrent programming and memory safety, as demonstrated by the kernel oops trace showing __srcu_read_lock being called on an uninitialized srcu structure at virtual address ffff800272bcc000.
The operational impact of this vulnerability is severe, potentially leading to system crashes and kernel panics that can result in complete system downtime. The race condition is particularly dangerous in multi-threaded environments where GPIO chip registration occurs simultaneously from different kernel contexts or interrupt handlers. The crash manifestation, as evidenced by the memory access violation error and subsequent kernel oops, indicates that the system attempts to dereference a pointer to an uninitialized srcu structure, causing an immediate page fault and system termination. This vulnerability affects any Linux system utilizing GPIO drivers that dynamically register GPIO chips, particularly those employing concurrent registration patterns or embedded systems with complex GPIO infrastructure.
Mitigation strategies for this vulnerability involve modifying the initialization sequence within the GPIO device registration code to ensure all fields are properly initialized before the device is added to the global gpio_devices list. The fix implemented addresses this by reordering the initialization operations, moving the srcu initialization code to occur before the device is added to the list. This approach aligns with the principles outlined in CWE-362, which specifically addresses race conditions in concurrent programming, and follows the recommended practices for avoiding data races in kernel-level code. The solution also includes adjusting control flow statements to maintain proper execution order, ensuring that all necessary initialization occurs in the correct temporal sequence. Additionally, system administrators should ensure their kernel versions are updated to include this patch, particularly in production environments where GPIO operations are critical to system functionality, and where concurrent driver registration scenarios may occur.