CVE-2026-43352
Received Received - Intake
Race Condition in Linux Kernel I3C MIPI-HCI Driver

Publication date: 2026-05-08

Last updated on: 2026-05-11

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: i3c: mipi-i3c-hci: Correct RING_CTRL_ABORT handling in DMA dequeue The logic used to abort the DMA ring contains several flaws: 1. The driver unconditionally issues a ring abort even when the ring has already stopped. 2. The completion used to wait for abort completion is never re-initialized, resulting in incorrect wait behavior. 3. The abort sequence unintentionally clears RING_CTRL_ENABLE, which resets hardware ring pointers and disrupts the controller state. 4. If the ring is already stopped, the abort operation should be considered successful without attempting further action. Fix the abort handling by checking whether the ring is running before issuing an abort, re-initializing the completion when needed, ensuring that RING_CTRL_ENABLE remains asserted during abort, and treating an already stopped ring as a successful condition.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-11
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-43352
EUVD
EUVD-2026-28658
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's i3c driver, specifically in the mipi-i3c-hci component responsible for handling DMA ring abort operations.

The issue arises because the abort logic for the DMA ring has several flaws: it issues an abort even if the ring is already stopped, does not properly re-initialize the completion used to wait for abort completion, unintentionally clears a control bit (RING_CTRL_ENABLE) that resets hardware ring pointers and disrupts the controller state, and does not treat an already stopped ring as a successful abort condition.

The fix involves checking if the ring is running before aborting, re-initializing the completion when needed, ensuring the control bit remains asserted during abort, and treating an already stopped ring as a successful abort.

Impact Analysis

This vulnerability can cause improper handling of the DMA ring abort process in the i3c driver, potentially leading to disruption of the controller state.

Specifically, the unintended clearing of control bits and incorrect abort handling may reset hardware ring pointers unexpectedly, which could result in instability or malfunction of the hardware controller relying on this driver.

Such disruptions could affect system reliability or performance where this driver and hardware are in use.

Mitigation Strategies

The vulnerability involves incorrect handling of the DMA ring abort sequence in the Linux kernel's i3c mipi-i3c-hci driver.

To mitigate this vulnerability, you should update your Linux kernel to a version that includes the fix for this issue. The fix corrects the abort handling by:

  • Checking whether the ring is running before issuing an abort.
  • Re-initializing the completion when needed.
  • Ensuring that RING_CTRL_ENABLE remains asserted during abort.
  • Treating an already stopped ring as a successful condition.

Applying the kernel update will prevent the flawed abort logic from disrupting the controller state.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43352. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart