CVE-2026-43415
Analyzed Analyzed - Analysis Complete
Race Condition in Linux Kernel UFS Driver Leads to SError

Publication date: 2026-05-08

Last updated on: 2026-05-21

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Fix SError in ufshcd_rtc_work() during UFS suspend In __ufshcd_wl_suspend(), cancel_delayed_work_sync() is called to cancel the UFS RTC work, but it is placed after ufshcd_vops_suspend(hba, pm_op, POST_CHANGE). This creates a race condition where ufshcd_rtc_work() can still be running while ufshcd_vops_suspend() is executing. When UFSHCD_CAP_CLK_GATING is not supported, the condition !hba->clk_gating.active_reqs is always true, causing ufshcd_update_rtc() to be executed. Since ufshcd_vops_suspend() typically performs clock gating operations, executing ufshcd_update_rtc() at that moment triggers an SError. The kernel panic trace is as follows: Kernel panic - not syncing: Asynchronous SError Interrupt Call trace: dump_backtrace+0xec/0x128 show_stack+0x18/0x28 dump_stack_lvl+0x40/0xa0 dump_stack+0x18/0x24 panic+0x148/0x374 nmi_panic+0x3c/0x8c arm64_serror_panic+0x64/0x8c do_serror+0xc4/0xc8 el1h_64_error_handler+0x34/0x4c el1h_64_error+0x68/0x6c el1_interrupt+0x20/0x58 el1h_64_irq_handler+0x18/0x24 el1h_64_irq+0x68/0x6c ktime_get+0xc4/0x12c ufshcd_mcq_sq_stop+0x4c/0xec ufshcd_mcq_sq_cleanup+0x64/0x1dc ufshcd_clear_cmd+0x38/0x134 ufshcd_issue_dev_cmd+0x298/0x4d0 ufshcd_exec_dev_cmd+0x1a4/0x1c4 ufshcd_query_attr+0xbc/0x19c ufshcd_rtc_work+0x10c/0x1c8 process_scheduled_works+0x1c4/0x45c worker_thread+0x32c/0x3e8 kthread+0x120/0x1d8 ret_from_fork+0x10/0x20 Fix this by moving cancel_delayed_work_sync() before the call to ufshcd_vops_suspend(hba, pm_op, PRE_CHANGE), ensuring the UFS RTC work is fully completed or cancelled at that point.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-21
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-43415
EUVD
EUVD-2026-28721
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.13 (inc) to 6.18.19 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.9 (exc)
linux linux_kernel From 6.8 (inc) to 6.12.78 (exc)
linux linux_kernel From 6.6.81 (inc) to 6.6.130 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-362 The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's UFS (Universal Flash Storage) subsystem. It is caused by a race condition in the suspend process of the UFS host controller driver. Specifically, the function cancel_delayed_work_sync() is called too late, after ufshcd_vops_suspend(), allowing the ufshcd_rtc_work() function to run concurrently with suspend operations.

When the hardware does not support clock gating, a condition causes ufshcd_update_rtc() to be executed during clock gating operations, which triggers an asynchronous SError interrupt leading to a kernel panic.

The fix involves moving the cancel_delayed_work_sync() call to before ufshcd_vops_suspend(), ensuring that the UFS RTC work is fully completed or cancelled before suspend operations proceed, preventing the race condition and subsequent kernel panic.

Impact Analysis

This vulnerability can cause the Linux kernel to panic unexpectedly due to an asynchronous SError interrupt triggered during UFS suspend operations.

A kernel panic results in a system crash, which can lead to data loss, system downtime, and reduced reliability of devices using affected Linux kernel versions with UFS storage.

Systems relying on UFS storage and running vulnerable Linux kernel versions may experience instability or crashes during suspend/resume cycles.

Detection Guidance

This vulnerability manifests as a kernel panic with an Asynchronous SError Interrupt related to the UFS suspend process in the Linux kernel.

Detection can be done by monitoring system logs for kernel panic messages that include traces similar to the following call trace: dump_backtrace, show_stack, panic, nmi_panic, arm64_serror_panic, ufshcd_rtc_work, and related functions.

You can check the kernel logs using commands such as:

  • dmesg | grep -i 'Kernel panic'
  • journalctl -k | grep -i 'SError Interrupt'
  • journalctl -k | grep -i 'ufshcd_rtc_work'

Additionally, monitoring for unexpected system reboots or crashes related to UFS device suspend operations can help identify this issue.

Mitigation Strategies

The vulnerability is fixed by changing the order of operations in the Linux kernel code to ensure that cancel_delayed_work_sync() is called before ufshcd_vops_suspend(), preventing the race condition.

Immediate mitigation steps include:

  • Update the Linux kernel to a version that includes the fix for this vulnerability.
  • If updating immediately is not possible, avoid suspending UFS devices or disable UFS suspend features temporarily to prevent triggering the race condition.
  • Monitor system stability and logs for signs of kernel panics related to UFS suspend operations.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43415. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart