PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-23287 Linux CVE debrief

A vulnerability in the Linux kernel's SiFive PLIC (Platform-Level Interrupt Controller) irqchip driver could cause interrupts to become permanently frozen when interrupt affinity is changed while a hart (hardware thread) is still handling that interrupt. The root cause is that the existing fix for a prior interrupt-completion issue relied on irqd_irq_disabled() to determine whether to temporarily re-enable an interrupt before sending the completion message to the PLIC. However, this check is insufficient because the PLIC's per-hart enable bit can be zero even when irqd_irq_disabled() returns false—specifically when affinity migration moves the interrupt away from the handling hart while the interrupt is still being serviced. The PLIC specification states that completion messages for interrupts not currently enabled for the target are silently ignored, so the EOI (end-of-interrupt) write is dropped and the interrupt line remains asserted, freezing the device. The fix replaces the irqd_irq_disabled() check with a direct read of the PLIC's own enable bit for the handling hart, ensuring the completion message is only sent when the PLIC will actually process it. This affects RISC-V systems using the SiFive PLIC and can be triggered under load by repeatedly changing interrupt affinity (e.g., for UART during heavy I/O).

Vendor
Linux
Product
Unknown
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-25
Original CVE updated
2026-05-29
Advisory published
2026-03-25
Advisory updated
2026-05-29

Who should care

Organizations running Linux on RISC-V hardware with SiFive PLIC interrupt controllers, particularly those using dynamic interrupt affinity tuning or CPU hotplug on high-throughput devices.

Technical summary

The SiFive PLIC irqchip driver in the Linux kernel contains a race condition between interrupt affinity setting and end-of-interrupt (EOI) handling. The PLIC silently ignores completion writes for interrupts not enabled for the target hart. A prior fix (checking irqd_irq_disabled() before EOI) is insufficient because affinity changes can clear the PLIC enable bit while the interrupt descriptor still appears enabled. The resulting dropped completion freezes the interrupt line. The resolution checks the PLIC's actual enable bit rather than the software interrupt descriptor state.

Defensive priority

medium

Recommended defensive actions

  • Apply the relevant stable kernel patch for your branch (see resource links ref-4 through ref-9).
  • If patching is not immediately feasible, avoid changing interrupt affinity for high-throughput devices (e.g., UART) under load on RISC-V systems using the SiFive PLIC.
  • Monitor for device freeze symptoms (e.g., unresponsive UART, stuck interrupt counters in /proc/interrupts) as indicators of this condition.
  • Plan kernel updates to versions 6.1.167+, 6.6.130+, 6.12.77+, 6.18.17+, 6.19.7+, or 7.0-rc2+ when available.

Evidence notes

CVE published 2026-03-25; modified 2026-05-29. NVD status: Analyzed. CVSS 3.1 vector: AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. Affected Linux kernel versions: 5.1 through 6.1.166, 6.2 through 6.6.129, 6.7 through 6.12.76, 6.13 through 6.18.16, 6.19 through 6.19.6, and 7.0:rc1. Six stable-branch patches are referenced. No KEV entry. No known ransomware campaign use.

Official resources

public