CVE-2026-43363
Received Received - Intake
x2apic Resume Issue in Linux Kernel

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: x86/apic: Disable x2apic on resume if the kernel expects so When resuming from s2ram, firmware may re-enable x2apic mode, which may have been disabled by the kernel during boot either because it doesn't support IRQ remapping or for other reasons. This causes the kernel to continue using the xapic interface, while the hardware is in x2apic mode, which causes hangs. This happens on defconfig + bare metal + s2ram. Fix this in lapic_resume() by disabling x2apic if the kernel expects it to be disabled, i.e. when x2apic_mode = 0. The ACPI v6.6 spec, Section 16.3 [1] says firmware restores either the pre-sleep configuration or initial boot configuration for each CPU, including MSR state: When executing from the power-on reset vector as a result of waking from an S2 or S3 sleep state, the platform firmware performs only the hardware initialization required to restore the system to either the state the platform was in prior to the initial operating system boot, or to the pre-sleep configuration state. In multiprocessor systems, non-boot processors should be placed in the same state as prior to the initial operating system boot. (further ahead) If this is an S2 or S3 wake, then the platform runtime firmware restores minimum context of the system before jumping to the waking vector. This includes: CPU configuration. Platform runtime firmware restores the pre-sleep configuration or initial boot configuration of each CPU (MSR, MTRR, firmware update, SMBase, and so on). Interrupts must be disabled (for IA-32 processors, disabled by CLI instruction). (and other things) So at least as per the spec, re-enablement of x2apic by the firmware is allowed if "x2apic on" is a part of the initial boot configuration. [1] https://uefi.org/specs/ACPI/6.6/16_Waking_and_Sleeping.html#initialization [ bp: Massage. ]
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-05-09
AI Q&A
2026-05-08
EPSS Evaluated
N/A
NVD
CVE-2026-43363
EUVD
EUVD-2026-28669
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability occurs in the Linux kernel related to the handling of the x2apic mode during system resume from the S2RAM sleep state. When the system resumes, the firmware may re-enable x2apic mode even if the kernel had disabled it during boot because it does not support IRQ remapping or for other reasons. This mismatch causes the kernel to continue using the older xapic interface while the hardware operates in x2apic mode, leading to system hangs.

The issue happens specifically on systems with default configuration (defconfig), running on bare metal hardware, and resuming from S2RAM. The fix involves disabling x2apic mode during resume if the kernel expects it to be disabled, ensuring consistency between the kernel and hardware states.


How can this vulnerability impact me? :

This vulnerability can cause the system to hang when resuming from the S2RAM sleep state. The hang occurs because the kernel and hardware are out of sync regarding the x2apic mode, which is critical for interrupt handling. Such hangs can lead to system instability, loss of unsaved data, and potential downtime.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is resolved by disabling x2apic on resume if the kernel expects it to be disabled. To mitigate this vulnerability, ensure your Linux kernel is updated to a version that includes the fix in lapic_resume() which disables x2apic mode on resume when x2apic_mode is set to 0.

Since the issue occurs when resuming from s2ram and the firmware re-enables x2apic mode, you should avoid using s2ram suspend states on affected systems until the kernel is patched.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart