CVE-2026-43061 - Vulnerability Details

- serial: 8250: Fix TX deadlock when using DMA

Description

In the Linux kernel, the following vulnerability has been resolved:

serial: 8250: Fix TX deadlock when using DMA

`dmaengine_terminate_async` does not guarantee that the
`__dma_tx_complete` callback will run. The callback is currently the
only place where `dma->tx_running` gets cleared. If the transaction is
canceled and the callback never runs, then `dma->tx_running` will never
get cleared and we will never schedule new TX DMA transactions again.

This change makes it so we clear `dma->tx_running` after we terminate
the DMA transaction. This is "safe" because `serial8250_tx_dma_flush`
is holding the UART port lock. The first thing the callback does is also
grab the UART port lock, so access to `dma->tx_running` is serialized.

Published: 2026-05-05

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in the Linux 8250 serial driver prevents the DMA transmission flag from being cleared when a DMA operation is cancelled and its completion callback does not run. The flag remains set and subsequent DMA transmit requests are blocked, causing the UART port to hang. This defect does not grant privilege escalation or remote code execution; it merely disrupts serial output, which can impact management, diagnostics, or boot processes that rely on UART communication.

Affected Systems

The affected product is the Linux kernel’s 8250 UART serial driver. No specific kernel version ranges are enumerated, so any kernel build containing the driver before the patch that clears the TX flag is potentially vulnerable. The fix is present in the mainline kernel repository and is referenced by several commit URLs. Administrators should verify that their running kernel includes the commit sequence that implements the clearing of the DMA running flag or consider upgrading to a patched kernel.

Risk and Exploitability

The vulnerability requires a local or privileged user to trigger a DMA cancellation on an UART device, so the attack surface is limited to physical or compromised systems with control over the serial driver. There is no publicly reported exploitation and the EPSS score is unavailable, indicating low likelihood of exploitation. The impact is service disruption rather than data compromise. Because the defect is confined to UART instances using DMA, the risk is moderate: an attacker could cause a denial of service but would not gain further privileges or exfiltrate data. The vulnerability is not listed in CISA’s KEV catalog.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`7c47e637dfadfbc691dd297b91d81ef939ca2080`	affected	< 8190f9ab6ad90cb97652adbebd238b874a4ef70d
`bf3f395b9c37956eca866c9e1679769ed7dcce68`	affected	< 79a19bd936bb35f56ef0ccab1b3b59ebce8c762d
`d470522c597b73e63cca04f3012aec28185113b7`	affected	< f76d91271bcacbd759a2e4ee3ea61faa6a727ccf
`5e00346deb7bf40a4cf70e3716ac8e9a2409eb55`	affected	< d2719a0a9c3439abf67843a5504b7afccd9ded93
`c8a52c772c7c6de72257a435bcad03d3bb914a70`	affected	< 2a72403b985aea6b4aac3171830492f9a387f9e1
`9e512eaaf8f4008c44ede3dfc0fbc9d9c5118583`	affected	< 5f6b17562f03fc65c7d3474ef8f1959b19d1ca41
`9e512eaaf8f4008c44ede3dfc0fbc9d9c5118583`	affected	< b5ad887339503103d0fbe9827b16ad287597c275
`9e512eaaf8f4008c44ede3dfc0fbc9d9c5118583`	affected	< a424a34b8faddf97b5af41689087e7a230f79ba7
`bbec5998d7bd349730f59c959a8b00cfff816e34`	affected	—
`59f751db7f392fa7a58cbd972205982f7f4f5854`	affected	—

Linux

affected

Version	Status	Constraints
`6.14`	affected	—
`0`	unaffected	< 6.14
`5.10.253`	unaffected	≤ 5.10.*
`5.15.203`	unaffected	≤ 5.15.*
`6.1.167`	unaffected	≤ 6.1.*
`6.6.130`	unaffected	≤ 6.6.*
`6.12.78`	unaffected	≤ 6.12.*
`6.18.20`	unaffected	≤ 6.18.*
`6.19.10`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[7c47e637dfadfbc691dd297b91d81ef939ca2080,8190f9ab6ad90cb97652adbebd238b874a4ef70d)`	affected	code_commit	—
`[bf3f395b9c37956eca866c9e1679769ed7dcce68,79a19bd936bb35f56ef0ccab1b3b59ebce8c762d)`	affected	code_commit	—
`[d470522c597b73e63cca04f3012aec28185113b7,f76d91271bcacbd759a2e4ee3ea61faa6a727ccf)`	affected	code_commit	—
`[5e00346deb7bf40a4cf70e3716ac8e9a2409eb55,d2719a0a9c3439abf67843a5504b7afccd9ded93)`	affected	code_commit	—
`[c8a52c772c7c6de72257a435bcad03d3bb914a70,2a72403b985aea6b4aac3171830492f9a387f9e1)`	affected	code_commit	—
`[9e512eaaf8f4008c44ede3dfc0fbc9d9c5118583,5f6b17562f03fc65c7d3474ef8f1959b19d1ca41)`	affected	code_commit	—
`[9e512eaaf8f4008c44ede3dfc0fbc9d9c5118583,b5ad887339503103d0fbe9827b16ad287597c275)`	affected	code_commit	—
`[9e512eaaf8f4008c44ede3dfc0fbc9d9c5118583,a424a34b8faddf97b5af41689087e7a230f79ba7)`	affected	code_commit	—
`[bbec5998d7bd349730f59c959a8b00cfff816e34,*]`	affected	code_commit	—
`[59f751db7f392fa7a58cbd972205982f7f4f5854,*]`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.14`	affected	semver	—
`[0,6.14)`	unaffected	semver	—
`[5.10.253,6.0.0)`	unaffected	semver	—
`[5.15.203,6.0.0)`	unaffected	semver	—
`[6.1.167,7.0.0)`	unaffected	semver	—
`[6.6.130,7.0.0)`	unaffected	semver	—
`[6.12.78,7.0.0)`	unaffected	semver	—
`[6.18.20,7.0.0)`	unaffected	semver	—
`[6.19.10,7.0.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a version that includes the commit adding the clear of dma->tx_running after DMA termination (the patched commits are available in the kernel repository).
If an update is not immediately possible, rebuild the kernel with the CONFIG_SERIAL_8250_DMA configuration option disabled or remove the DMA property for the affected UART devices in the device tree to prevent DMA usage entirely.
Enable and monitor system logs for UART TX stall or failure messages; consider configuring watchdog timers that reset the system if serial communication ceases to ensure continuity of critical management access.

Generated by OpenCVE AI on May 5, 2026 at 17:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/2a72403b985aea6b4aac3171830492f9a387f9e1
https://git.kernel.org/stable/c/5f6b17562f03fc65c7d3474ef8f1959b19d1ca41
https://git.kernel.org/stable/c/79a19bd936bb35f56ef0ccab1b3b59ebce8c762d
https://git.kernel.org/stable/c/8190f9ab6ad90cb97652adbebd238b874a4ef70d
https://git.kernel.org/stable/c/a424a34b8faddf97b5af41689087e7a230f79ba7
https://git.kernel.org/stable/c/b5ad887339503103d0fbe9827b16ad287597c275
https://git.kernel.org/stable/c/d2719a0a9c3439abf67843a5504b7afccd9ded93
https://git.kernel.org/stable/c/f76d91271bcacbd759a2e4ee3ea61faa6a727ccf

History

Tue, 05 May 2026 18:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-668

Tue, 05 May 2026 16:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: serial: 8250: Fix TX deadlock when using DMA `dmaengine_terminate_async` does not guarantee that the `__dma_tx_complete` callback will run. The callback is currently the only place where `dma->tx_running` gets cleared. If the transaction is canceled and the callback never runs, then `dma->tx_running` will never get cleared and we will never schedule new TX DMA transactions again. This change makes it so we clear `dma->tx_running` after we terminate the DMA transaction. This is "safe" because `serial8250_tx_dma_flush` is holding the UART port lock. The first thing the callback does is also grab the UART port lock, so access to `dma->tx_running` is serialized.
Title		serial: 8250: Fix TX deadlock when using DMA
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/2a72403b985aea6b4aac3171830492f9a387f9e1 https://git.kernel.org/stable/c/5f6b17562f03fc65c7d3474ef8f1959b19d1ca41 https://git.kernel.org/stable/c/79a19bd936bb35f56ef0ccab1b3b59ebce8c762d https://git.kernel.org/stable/c/8190f9ab6ad90cb97652adbebd238b874a4ef70d https://git.kernel.org/stable/c/a424a34b8faddf97b5af41689087e7a230f79ba7 https://git.kernel.org/stable/c/b5ad887339503103d0fbe9827b16ad287597c275 https://git.kernel.org/stable/c/d2719a0a9c3439abf67843a5504b7afccd9ded93 https://git.kernel.org/stable/c/f76d91271bcacbd759a2e4ee3ea61faa6a727ccf

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-05T15:17:27.079Z

Updated: 2026-05-05T15:17:27.079Z

Reserved: 2026-05-01T14:12:55.981Z

Link: CVE-2026-43061

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-05T16:16:15.210

Modified: 2026-05-05T16:16:15.210

Link: CVE-2026-43061

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-05T18:00:13Z

Weaknesses

CWE-668

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object