{
  "threat_severity" : "Moderate",
  "public_date" : "2026-01-23T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: Linux kernel: Denial of Service due to a race condition in gpiolib",
    "id" : "2432390",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2432390"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-366",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\ngpiolib: fix race condition for gdev->srcu\nIf two drivers were calling gpiochip_add_data_with_key(), one may be\ntraversing the srcu-protected list in gpio_name_to_desc(), meanwhile\nother has just added its gdev in gpiodev_add_to_list_unlocked().\nThis creates a non-mutexed and non-protected timeframe, when one\ninstance is dereferencing and using &gdev->srcu, before the other\nhas initialized it, resulting in crash:\n[    4.935481] Unable to handle kernel paging request at virtual address ffff800272bcc000\n[    4.943396] Mem abort info:\n[    4.943400]   ESR = 0x0000000096000005\n[    4.943403]   EC = 0x25: DABT (current EL), IL = 32 bits\n[    4.943407]   SET = 0, FnV = 0\n[    4.943410]   EA = 0, S1PTW = 0\n[    4.943413]   FSC = 0x05: level 1 translation fault\n[    4.943416] Data abort info:\n[    4.943418]   ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000\n[    4.946220]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[    4.955261]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[    4.955268] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000038e6c000\n[    4.961449] [ffff800272bcc000] pgd=0000000000000000\n[    4.969203] , p4d=1000000039739003\n[    4.979730] , pud=0000000000000000\n[    4.980210] phandle (CPU): 0x0000005e, phandle (BE): 0x5e000000 for node \"reset\"\n[    4.991736] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP\n...\n[    5.121359] pc : __srcu_read_lock+0x44/0x98\n[    5.131091] lr : gpio_name_to_desc+0x60/0x1a0\n[    5.153671] sp : ffff8000833bb430\n[    5.298440]\n[    5.298443] Call trace:\n[    5.298445]  __srcu_read_lock+0x44/0x98\n[    5.309484]  gpio_name_to_desc+0x60/0x1a0\n[    5.320692]  gpiochip_add_data_with_key+0x488/0xf00\n5.946419] ---[ end trace 0000000000000000 ]---\nMove initialization code for gdev fields before it is added to\ngpio_devices, with adjacent initialization code.\nAdjust goto statements  to reflect modified order of operations\n[Bartosz: fixed a build issue, removed stray newline]", "A flaw was found in the Linux kernel's gpiolib subsystem. A race condition can occur when two drivers simultaneously call the `gpiochip_add_data_with_key()` function. This timing issue may lead to the system attempting to dereference an uninitialized data structure, resulting in a kernel crash and a Denial of Service (DoS)." ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-22986\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-22986\nhttps://lore.kernel.org/linux-cve-announce/2026012349-CVE-2026-22986-5992@gregkh/T" ],
  "name" : "CVE-2026-22986",
  "csaw" : false
}