Description
In the Linux kernel, the following vulnerability has been resolved:

serial: 8250: Fix TX deadlock when using DMA

`dmaengine_terminate_async` does not guarantee that the
`__dma_tx_complete` callback will run. The callback is currently the
only place where `dma->tx_running` gets cleared. If the transaction is
canceled and the callback never runs, then `dma->tx_running` will never
get cleared and we will never schedule new TX DMA transactions again.

This change makes it so we clear `dma->tx_running` after we terminate
the DMA transaction. This is "safe" because `serial8250_tx_dma_flush`
is holding the UART port lock. The first thing the callback does is also
grab the UART port lock, so access to `dma->tx_running` is serialized.
Published: 2026-05-05
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the Linux 8250 serial driver prevents the flag that indicates an ongoing DMA transmission from being cleared if the DMA operation is canceled and its completion callback does not execute. Because the flag remains set, subsequent attempts to initiate UART DMA for transmit are blocked, causing the serial port to hang. This defect does not provide privilege escalation or remote code execution; it merely disrupts serial output, which can impact boot sequences, kernel logging, or remote management that relies on UART communication.

Affected Systems

The vulnerability affects the Linux kernel’s 8250 serial driver. Kernels built without the patch that clears dma->tx_running after DMA termination are potentially vulnerable. The fix is present in the mainline kernel repository in the referenced commits, so any kernel prior to the inclusion of those commits may be at risk.

Risk and Exploitability

The CVSS score of 5.5 indicates a moderate severity, while the EPSS score of < 1% suggests a low likelihood of exploitation, and the vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that attack requires local or privileged access to trigger a DMA cancellation on an UART device, limiting the attack surface to systems where an attacker can control the serial driver or the hardware configuration. No remote exploitation vector is described. The impact is service disruption rather than data compromise or privilege escalation.

Generated by OpenCVE AI on May 6, 2026 at 18:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the commit implementing the clear of dma->tx_running after DMA termination (the patch is available in the upstream kernel repository).
  • If a kernel update cannot be applied immediately, rebuild the kernel with the CONFIG_SERIAL_8250_DMA configuration option disabled or remove the DMA property for the affected UART devices in the device tree to prevent DMA usage entirely.
  • Enable and monitor system logs for UART transmit stall messages or use a watchdog timer to reset the system if serial communication ceases, ensuring continuity of essential management access.

Generated by OpenCVE AI on May 6, 2026 at 18:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 17:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-668

Wed, 06 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-413
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Tue, 05 May 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-668

Tue, 05 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: serial: 8250: Fix TX deadlock when using DMA `dmaengine_terminate_async` does not guarantee that the `__dma_tx_complete` callback will run. The callback is currently the only place where `dma->tx_running` gets cleared. If the transaction is canceled and the callback never runs, then `dma->tx_running` will never get cleared and we will never schedule new TX DMA transactions again. This change makes it so we clear `dma->tx_running` after we terminate the DMA transaction. This is "safe" because `serial8250_tx_dma_flush` is holding the UART port lock. The first thing the callback does is also grab the UART port lock, so access to `dma->tx_running` is serialized.
Title serial: 8250: Fix TX deadlock when using DMA
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-23T16:06:10.956Z

Reserved: 2026-05-01T14:12:55.981Z

Link: CVE-2026-43061

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-05T16:16:15.210

Modified: 2026-05-06T13:08:07.970

Link: CVE-2026-43061

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-05T00:00:00Z

Links: CVE-2026-43061 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T18:30:09Z

Weaknesses