CVE-2026-43191 - Vulnerability Details

- drm/amd/display: Adjust PHY FSM transition to TX_EN-to-PLL_ON for TMDS on DCN35

Description

In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Adjust PHY FSM transition to TX_EN-to-PLL_ON for TMDS on DCN35

[Why]
A backport of the change made for DCN401 that addresses an issue where
we turn off the PHY PLL when disabling TMDS output, which causes the
OTG to remain stuck.

The OTG being stuck can lead to a hang in the DCHVM's ability to ACK
invalidations when it thinks the HUBP is still on but it's not receiving
global sync.

The transition to PLL_ON needs to be atomic as there's no guarantee
that the thread isn't pre-empted or is able to complete before the
IOMMU watchdog times out.

[How]
Backport the implementation from dcn401 back to dcn35.

There's a functional difference in when the eDP output is disabled in
dcn401 code so we don't want to utilize it directly.

Published: 2026-05-06

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

In the AMD display driver of the Linux kernel, a race condition exists when the physical layer finite state machine transitions from TX_EN to PLL_ON for TMDS on DCN35. The transition is not performed atomically, which can allow the OTG subsystem to remain stuck after TMDS is disabled. This stuck state can prevent the DCHVM from acknowledging invalidations, potentially leading to a kernel hang or system unresponsiveness.

Affected Systems

All Linux kernel installations that include the AMD DCN35 display driver and have not applied the backported DCN401 fix are affected. The issue is present in any kernel version containing the unpatched DCN35 code, regardless of distribution.

Risk and Exploitability

The vulnerability requires the ability to manipulate the driver’s state, such as disabling eDP output, which implies a local or privileged attacker. No remote code execution path is described, and no active exploitation is known. The CVSS score of 5.5 indicates a medium severity, and the EPSS score of <1% indicates a very low probability of exploitation; the vulnerability is not listed in the CISA KEV catalog, suggesting that, while the potential for a system-wide hang exists, exploitation is unlikely without local access.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`ec129fa356bea5411cb16833cc5dab32689ea389`	affected	< d1f7ceb00e8956ff6d183b7b45ef4e73c96f4c51
`ec129fa356bea5411cb16833cc5dab32689ea389`	affected	< 75372d75a4e23783583998ed99d5009d555850da

Linux

affected

Version	Status	Constraints
`6.7`	affected	—
`0`	unaffected	< 6.7
`6.19.6`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,d1f7ceb00e8956ff6d183b7b45ef4e73c96f4c51)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,75372d75a4e23783583998ed99d5009d555850da)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[6.19.6,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the upstream kernel patch that backports the DCN401 implementation to DCN35, making the PHY transition to PLL_ON atomic.
If a patched kernel is not available, upgrade to a kernel release that contains the fix or await a distribution security update.
As a temporary workaround, disable eDP output or configure firmware to keep the PHY powered when disabling TMDS on DCN35 hardware to avoid triggering the hang.
Enable monitoring for OTG-related warnings in kernel logs and reboot the system if a hang occurs.

Generated by OpenCVE AI on May 11, 2026 at 23:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00014.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/75372d75a4e23783583998ed99d5009d555850da
https://git.kernel.org/stable/c/d1f7ceb00e8956ff6d183b7b45ef4e73c96f4c51
https://lore.kernel.org/linux-cve-announce/2026050642-CVE-2026-43191-8efb@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-43191
https://www.cve.org/CVERecord?id=CVE-2026-43191

History

Mon, 11 May 2026 21:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		NVD-CWE-noinfo
Metrics		cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Thu, 07 May 2026 04:00:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-790

Thu, 07 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-821
References		https://lore.kernel.org/linux-cve-announce/2026050642-CVE-2026-43191-8efb@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-43191 https://www.cve.org/CVERecord?id=CVE-2026-43191

Wed, 06 May 2026 14:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-790

Wed, 06 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Adjust PHY FSM transition to TX_EN-to-PLL_ON for TMDS on DCN35 [Why] A backport of the change made for DCN401 that addresses an issue where we turn off the PHY PLL when disabling TMDS output, which causes the OTG to remain stuck. The OTG being stuck can lead to a hang in the DCHVM's ability to ACK invalidations when it thinks the HUBP is still on but it's not receiving global sync. The transition to PLL_ON needs to be atomic as there's no guarantee that the thread isn't pre-empted or is able to complete before the IOMMU watchdog times out. [How] Backport the implementation from dcn401 back to dcn35. There's a functional difference in when the eDP output is disabled in dcn401 code so we don't want to utilize it directly.
Title		drm/amd/display: Adjust PHY FSM transition to TX_EN-to-PLL_ON for TMDS on DCN35
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/75372d75a4e23783583998ed99d5009d555850da https://git.kernel.org/stable/c/d1f7ceb00e8956ff6d183b7b45ef4e73c96f4c51

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-06T11:28:00.470Z

Updated: 2026-05-11T22:19:36.402Z

Reserved: 2026-05-01T14:12:55.992Z

Link: CVE-2026-43191

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-05-06T12:16:37.970

Modified: 2026-05-11T20:51:38.467

Link: CVE-2026-43191

Redhat

Severity :

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43191 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-11T23:15:09Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object