Description
In the Linux kernel, the following vulnerability has been resolved:

i2c: designware: amdisp: Fix resume-probe race condition issue

Identified resume-probe race condition in kernel v7.0 with the commit
38fa29b01a6a ("i2c: designware: Combine the init functions"),but this
issue existed from the beginning though not detected.

The amdisp i2c device requires ISP to be in power-on state for probe
to succeed. To meet this requirement, this device is added to genpd
to control ISP power using runtime PM. The pm_runtime_get_sync() called
before i2c_dw_probe() triggers PM resume, which powers on ISP and also
invokes the amdisp i2c runtime resume before the probe completes resulting
in this race condition and a NULL dereferencing issue in v7.0

Fix this race condition by using the genpd APIs directly during probe:
- Call dev_pm_genpd_resume() to Power ON ISP before probe
- Call dev_pm_genpd_suspend() to Power OFF ISP after probe
- Set the device to suspended state with pm_runtime_set_suspended()
- Enable runtime PM only after the device is fully initialized
Published: 2026-04-24
Score: 4.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: NULL dereference leading to kernel crash
Action: Immediate patch
AI Analysis

Impact

The vulnerability is a race condition in the I²C designware driver for the amdisp device. It occurs when the runtime power‑management routine triggers an ISP power‑on during probe before the driver’s initialization completes, resulting in a NULL dereference that can crash the kernel and cause a denial of service. The flaw corresponds to CWE‑362 (Race Condition) and CWE‑367 (Improper Locking).

Affected Systems

All Linux kernel releases up through the initial stable release of version 7.0, including kernel 6.16 and the 7.0‑rc releases 1–7, are affected. The issue existed from the outset of the driver; only the commit that reordered the PM calls in v7.0 applied the fix. Systems running any kernel that does not contain this commit are vulnerable.

Risk and Exploitability

The CVSS score of 4.7 places the flaw in the medium‑severity range, and the EPSS score of < 1 % indicates a very low observed exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is local, as it requires the kernel’s probe routine to run during boot or when the device is enabled. An attacker with local or kernel privilege could trigger a kernel crash and cause a denial of service. The patch eliminates the race by calling the generic power‑domain API directly during probe, suspending the device afterward, and enabling runtime PM only after initialization.

Generated by OpenCVE AI on April 28, 2026 at 14:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a Linux kernel version that includes commit 38fa29b01a which fixes the race condition
  • Reboot the system so that the patched kernel takes effect
  • If the device is not required, disable the amdisp i2c device via device tree or modprobe options to avoid triggering the probe routine

Generated by OpenCVE AI on April 28, 2026 at 14:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CPEs cpe:2.3:o:linux:linux_kernel:6.16:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Sat, 25 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-367
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Fri, 24 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: i2c: designware: amdisp: Fix resume-probe race condition issue Identified resume-probe race condition in kernel v7.0 with the commit 38fa29b01a6a ("i2c: designware: Combine the init functions"),but this issue existed from the beginning though not detected. The amdisp i2c device requires ISP to be in power-on state for probe to succeed. To meet this requirement, this device is added to genpd to control ISP power using runtime PM. The pm_runtime_get_sync() called before i2c_dw_probe() triggers PM resume, which powers on ISP and also invokes the amdisp i2c runtime resume before the probe completes resulting in this race condition and a NULL dereferencing issue in v7.0 Fix this race condition by using the genpd APIs directly during probe: - Call dev_pm_genpd_resume() to Power ON ISP before probe - Call dev_pm_genpd_suspend() to Power OFF ISP after probe - Set the device to suspended state with pm_runtime_set_suspended() - Enable runtime PM only after the device is fully initialized
Title i2c: designware: amdisp: Fix resume-probe race condition issue
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:11:22.941Z

Reserved: 2026-03-09T15:48:24.118Z

Link: CVE-2026-31572

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T15:16:31.757

Modified: 2026-04-27T20:33:52.767

Link: CVE-2026-31572

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-24T00:00:00Z

Links: CVE-2026-31572 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T14:15:34Z

Weaknesses