Description
In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Adjust PHY FSM transition to TX_EN-to-PLL_ON for TMDS on DCN35

[Why]
A backport of the change made for DCN401 that addresses an issue where
we turn off the PHY PLL when disabling TMDS output, which causes the
OTG to remain stuck.

The OTG being stuck can lead to a hang in the DCHVM's ability to ACK
invalidations when it thinks the HUBP is still on but it's not receiving
global sync.

The transition to PLL_ON needs to be atomic as there's no guarantee
that the thread isn't pre-empted or is able to complete before the
IOMMU watchdog times out.

[How]
Backport the implementation from dcn401 back to dcn35.

There's a functional difference in when the eDP output is disabled in
dcn401 code so we don't want to utilize it directly.
Published: 2026-05-06
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the Linux kernel’s AMD display driver introduces a race condition during the transition of the PHY finite state machine to the PLL_ON state for TMDS on DCN35. Because the transition is not performed atomically, an IOMMU watchdog timeout can occur, leaving the OTG subsystem stuck. This leads to a system hang where the GPU cannot acknowledge memory invalidations, ultimately causing overall kernel instability or service disruption. The weakness is a classic race condition that affects the integrity and availability of the system.

Affected Systems

All Linux kernel installations that include the AMD display driver for DCN35 hardware configurations are affected. No specific kernel version or distribution was listed, so any distribution running a kernel that incorporates the unpatched AMD DCN35 display driver is potentially vulnerable.

Risk and Exploitability

The exploit requires local kernel privileges to trigger the improper PHY transition, such as disabling eDP output or manipulating the driver’s state. Because the vulnerability is limited to driver state changes and does not expose a remote entry point, the risk is primarily local. The EPSS score is not available, and the issue is not listed in CISA’s KEV catalog, implying no known active exploitation. However, an attacker with local access could force a system hang, causing denial of service. The CVSS score is not provided, but the effect is consistent with a high-severity issue that warrants immediate remediation.

Generated by OpenCVE AI on May 6, 2026 at 14:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Obtain and apply the upstream kernel patch that backports the DCN401 implementation to DCN35, ensuring the PHY transition to PLL_ON is atomic.
  • If a patch is not yet available for your kernel version, disable the DCN35 eDP output during operation or manually adjust BIOS/firmware settings to prevent the issue from occurring until a kernel update is applied.
  • Verify that the IOMMU watchdog timeout policy is correctly configured to avoid false positives and that the fix correctly resets the OTG subsystem; monitor kernel logs for OTG-related errors and reboot if a hang occurs.

Generated by OpenCVE AI on May 6, 2026 at 14:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-790

Wed, 06 May 2026 12:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Adjust PHY FSM transition to TX_EN-to-PLL_ON for TMDS on DCN35 [Why] A backport of the change made for DCN401 that addresses an issue where we turn off the PHY PLL when disabling TMDS output, which causes the OTG to remain stuck. The OTG being stuck can lead to a hang in the DCHVM's ability to ACK invalidations when it thinks the HUBP is still on but it's not receiving global sync. The transition to PLL_ON needs to be atomic as there's no guarantee that the thread isn't pre-empted or is able to complete before the IOMMU watchdog times out. [How] Backport the implementation from dcn401 back to dcn35. There's a functional difference in when the eDP output is disabled in dcn401 code so we don't want to utilize it directly.
Title drm/amd/display: Adjust PHY FSM transition to TX_EN-to-PLL_ON for TMDS on DCN35
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-06T11:28:00.470Z

Reserved: 2026-05-01T14:12:55.992Z

Link: CVE-2026-43191

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-06T12:16:37.970

Modified: 2026-05-06T13:07:51.607

Link: CVE-2026-43191

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T16:30:06Z

Weaknesses