Incomplete Blacklist to Cross-Site Scripting in Linux kernel - CVE-2026-23308
Published: March 25, 2026
Vulnerability identifier: #VU124557
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-23308
CWE-ID: CWE-692
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Linux Foundation
Affected software:
Linux kernel
Linux kernel
Detailed vulnerability description
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of interrupt masking in the pinctrl driver when loading the equilibrium GPIO controller. A local user can trigger the loading of the driver, resulting in repeated kernel warning messages being logged, which may degrade system stability and generate unnecessary log entries.
The issue arises because the function 'eqbr_irq_mask_ack()' indirectly calls 'gpiochip_disable_irq()' through 'eqbr_irq_mask()', leading to spurious warnings during initialization. This behavior does not occur in similar drivers, indicating inconsistent interrupt handling.
How to mitigate CVE-2026-23308
Install security update from vendor's repository.
Sources
- https://git.kernel.org/stable/c/3e00b1b332e54ba50cca6691f628b9c06574024f
- https://git.kernel.org/stable/c/53eba152810ef0fff8567b13ea0f62d48e62df6b
- https://git.kernel.org/stable/c/896449ad9053a42c6c710aeae6175170176cabd0
- https://git.kernel.org/stable/c/af3b0ec98dc1133521b612f8009fdd36b612aabe
- https://git.kernel.org/stable/c/ec54546e8d8a50a9824c139a127a8459d1b0b1bb