CVE-2026-43072

Vulnerability

In the Linux kernel's DRM vc4 driver (drm/vc4), the function platform_get_irq_byname() returns an integer, which can be negative on error. The driver was passing this value directly to devm_request_threaded_irq() without checking for errors. This can lead to passing a negative IRQ number to the interrupt registration function, resulting in undefined behavior.

Exploitation

An attacker would need to trigger the error path in platform_get_irq_byname(), which could occur if the device tree lacks the specified interrupt name or if there is a probe failure. No authentication or special privileges are required beyond the ability to trigger the affected code path, which may be reachable from userspace via DRM ioctls or device enumeration.

Impact

If exploited, this vulnerability could cause a kernel panic, denial of service, or potentially more severe consequences due to the use of an invalid IRQ number. The exact impact depends on the system state and the value of the returned error code.

Mitigation

The issue is fixed in Linux kernel stable commits [1], [2], [3], and [4]. Users should apply the latest updates from their distribution or update to a kernel version containing these patches.