Description
In the Linux kernel, the following vulnerability has been resolved:

accel/qaic: Handle DBC deactivation if the owner went away

When a DBC is released, the device sends a QAIC_TRANS_DEACTIVATE_FROM_DEV
transaction to the host over the QAIC_CONTROL MHI channel. QAIC handles
this by calling decode_deactivate() to release the resources allocated for
that DBC. Since that handling is done in the qaic_manage_ioctl() context,
if the user goes away before receiving and handling the deactivation, the
host will be out-of-sync with the DBCs available for use, and the DBC
resources will not be freed unless the device is removed. If another user
loads and requests to activate a network, then the device assigns the same
DBC to that network, QAIC will "indefinitely" wait for dbc->in_use = false,
leading the user process to hang.

As a solution to this, handle QAIC_TRANS_DEACTIVATE_FROM_DEV transactions
that are received after the user has gone away.
Published: 2026-05-01
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The accel/qaic driver contains a flaw (CWE‑415 and CWE‑772) where deactivation messages from a device are dropped if the owning user process terminates before the host handles them. As a result, the device continues to believe the DBC is in use and never releases it unless the device is physically removed. When a subsequent user attempts to activate that same DBC, the driver indefinitely waits for the in‑use flag to clear, causing the process to hang. This manifests as a denial‑of‑service condition for components that rely on the QAIC subsystem.

Affected Systems

Linux kernel builds that include the accel/qaic driver are affected. No specific kernel versions are listed in the CVE record; administrators should verify whether their running kernel contains the commit that introduced the fix or upgrade to a kernel version that includes the patch.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity. Because the EPSS score is < 1%, the exploitation probability is low, although the vulnerability resides in kernel driver code and requires local access to the QAIC interface. The likely attack vector is an attacker who controls a user process that owns a DBC and terminates it prematurely; this is inferred from the description and not directly stated in the input. The consequence is a hang and resource freeze that can affect subsequent users, but it does not compromise confidentiality or integrity. The vulnerability is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on May 7, 2026 at 21:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that incorporates the QAIC_TRANS_DEACTIVATE_FROM_DEV fix
  • If a kernel upgrade cannot be applied immediately, remove or power‑cycle the QAIC device to force cleanup of all DBC resources
  • Continuously monitor kernel logs for "QAIC deactivation" errors and be prepared to reboot or disable QAIC functionality until the patch is applied

Generated by OpenCVE AI on May 7, 2026 at 21:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-415
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Sat, 02 May 2026 10:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-674

Sat, 02 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-772
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Fri, 01 May 2026 23:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-674

Fri, 01 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: accel/qaic: Handle DBC deactivation if the owner went away When a DBC is released, the device sends a QAIC_TRANS_DEACTIVATE_FROM_DEV transaction to the host over the QAIC_CONTROL MHI channel. QAIC handles this by calling decode_deactivate() to release the resources allocated for that DBC. Since that handling is done in the qaic_manage_ioctl() context, if the user goes away before receiving and handling the deactivation, the host will be out-of-sync with the DBCs available for use, and the DBC resources will not be freed unless the device is removed. If another user loads and requests to activate a network, then the device assigns the same DBC to that network, QAIC will "indefinitely" wait for dbc->in_use = false, leading the user process to hang. As a solution to this, handle QAIC_TRANS_DEACTIVATE_FROM_DEV transactions that are received after the user has gone away.
Title accel/qaic: Handle DBC deactivation if the owner went away
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:15:54.042Z

Reserved: 2026-05-01T14:12:55.974Z

Link: CVE-2026-43007

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-01T15:16:44.553

Modified: 2026-05-07T20:24:32.047

Link: CVE-2026-43007

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-43007 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T22:00:12Z

Weaknesses