CVE-2026-43415
Received Received - Intake
Race Condition in Linux Kernel UFS Driver Leads to SError

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Fix SError in ufshcd_rtc_work() during UFS suspend In __ufshcd_wl_suspend(), cancel_delayed_work_sync() is called to cancel the UFS RTC work, but it is placed after ufshcd_vops_suspend(hba, pm_op, POST_CHANGE). This creates a race condition where ufshcd_rtc_work() can still be running while ufshcd_vops_suspend() is executing. When UFSHCD_CAP_CLK_GATING is not supported, the condition !hba->clk_gating.active_reqs is always true, causing ufshcd_update_rtc() to be executed. Since ufshcd_vops_suspend() typically performs clock gating operations, executing ufshcd_update_rtc() at that moment triggers an SError. The kernel panic trace is as follows: Kernel panic - not syncing: Asynchronous SError Interrupt Call trace: dump_backtrace+0xec/0x128 show_stack+0x18/0x28 dump_stack_lvl+0x40/0xa0 dump_stack+0x18/0x24 panic+0x148/0x374 nmi_panic+0x3c/0x8c arm64_serror_panic+0x64/0x8c do_serror+0xc4/0xc8 el1h_64_error_handler+0x34/0x4c el1h_64_error+0x68/0x6c el1_interrupt+0x20/0x58 el1h_64_irq_handler+0x18/0x24 el1h_64_irq+0x68/0x6c ktime_get+0xc4/0x12c ufshcd_mcq_sq_stop+0x4c/0xec ufshcd_mcq_sq_cleanup+0x64/0x1dc ufshcd_clear_cmd+0x38/0x134 ufshcd_issue_dev_cmd+0x298/0x4d0 ufshcd_exec_dev_cmd+0x1a4/0x1c4 ufshcd_query_attr+0xbc/0x19c ufshcd_rtc_work+0x10c/0x1c8 process_scheduled_works+0x1c4/0x45c worker_thread+0x32c/0x3e8 kthread+0x120/0x1d8 ret_from_fork+0x10/0x20 Fix this by moving cancel_delayed_work_sync() before the call to ufshcd_vops_suspend(hba, pm_op, PRE_CHANGE), ensuring the UFS RTC work is fully completed or cancelled at that point.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-05-09
AI Q&A
2026-05-08
EPSS Evaluated
N/A
NVD
CVE-2026-43415
EUVD
EUVD-2026-28721
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's UFS (Universal Flash Storage) subsystem. It is caused by a race condition in the suspend process of the UFS host controller driver. Specifically, the function cancel_delayed_work_sync() is called too late, after ufshcd_vops_suspend(), allowing the ufshcd_rtc_work() function to run concurrently with suspend operations.

When the hardware does not support clock gating, a condition causes ufshcd_update_rtc() to be executed during clock gating operations, which triggers an asynchronous SError interrupt leading to a kernel panic.

The fix involves moving the cancel_delayed_work_sync() call to before ufshcd_vops_suspend(), ensuring that the UFS RTC work is fully completed or cancelled before suspend operations proceed, preventing the race condition and subsequent kernel panic.


How can this vulnerability impact me? :

This vulnerability can cause the Linux kernel to panic unexpectedly due to an asynchronous SError interrupt triggered during UFS suspend operations.

A kernel panic results in a system crash, which can lead to data loss, system downtime, and reduced reliability of devices using affected Linux kernel versions with UFS storage.

Systems relying on UFS storage and running vulnerable Linux kernel versions may experience instability or crashes during suspend/resume cycles.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability manifests as a kernel panic with an Asynchronous SError Interrupt related to the UFS suspend process in the Linux kernel.

Detection can be done by monitoring system logs for kernel panic messages that include traces similar to the following call trace: dump_backtrace, show_stack, panic, nmi_panic, arm64_serror_panic, ufshcd_rtc_work, and related functions.

You can check the kernel logs using commands such as:

  • dmesg | grep -i 'Kernel panic'
  • journalctl -k | grep -i 'SError Interrupt'
  • journalctl -k | grep -i 'ufshcd_rtc_work'

Additionally, monitoring for unexpected system reboots or crashes related to UFS device suspend operations can help identify this issue.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is fixed by changing the order of operations in the Linux kernel code to ensure that cancel_delayed_work_sync() is called before ufshcd_vops_suspend(), preventing the race condition.

Immediate mitigation steps include:

  • Update the Linux kernel to a version that includes the fix for this vulnerability.
  • If updating immediately is not possible, avoid suspending UFS devices or disable UFS suspend features temporarily to prevent triggering the race condition.
  • Monitor system stability and logs for signs of kernel panics related to UFS suspend operations.

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart