Description
In the Linux kernel, the following vulnerability has been resolved:

i3c: mipi-i3c-hci: Correct RING_CTRL_ABORT handling in DMA dequeue

The logic used to abort the DMA ring contains several flaws:

1. The driver unconditionally issues a ring abort even when the ring has
already stopped.
2. The completion used to wait for abort completion is never
re-initialized, resulting in incorrect wait behavior.
3. The abort sequence unintentionally clears RING_CTRL_ENABLE, which
resets hardware ring pointers and disrupts the controller state.
4. If the ring is already stopped, the abort operation should be
considered successful without attempting further action.

Fix the abort handling by checking whether the ring is running before
issuing an abort, re-initializing the completion when needed, ensuring that
RING_CTRL_ENABLE remains asserted during abort, and treating an already
stopped ring as a successful condition.
Published: 2026-05-08
Score: 7.0 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel driver for the I3C MIPI interface contains logic flaws that incorrectly attempt to abort a DMA ring. The driver unconditionally aborts even when the ring is already stopped, never re‑initialises the completion used to wait for abort, and inadvertently clears the control enable bit, resetting ring pointers and disrupting controller state. If the ring is already stopped the abort is treated as a success. These flaws can lead to corrupted ring state and loss of communication with I3C devices, resulting in a denial of service or system instability for processes that rely on the driver.

Affected Systems

All Linux kernel releases that include the i3c mipi-i3c-hci driver before the patch was applied are affected. The flaw exists in the kernel’s i3c subsystem prior to the commit that fixes the abort logic; no specific version numbers are listed, but any distribution using a kernel older than the patch is impacted.

Risk and Exploitability

The CVSS score of 7.0 indicates a medium‑to‑high severity vulnerability, and the EPSS score is not available while the vulnerability is not listed in the CISA KEV catalog. The flaw requires execution of the driver’s abort routine, implying that an attacker would need kernel‑level privileges or an ability to trigger the abort sequence from user space through a device interface. If successfully triggered, the impacted system could lose I3C functionality or experience a kernel panic, leading to service disruption. Because the state corruption is confined to the specific I3C controller instance, the impact is limited to devices that use that controller.

Generated by OpenCVE AI on May 9, 2026 at 03:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel update that includes the i3c mipi-i3c-hci patch for correct ring abort handling.
  • If an update cannot be applied immediately, disable the i3c mipi-i3c-hci driver or block use of the affected I3C device until the fix is in place.
  • After updating or disabling, monitor system logs for any abnormal ring abort messages and verify that I3C communication remains stable.
  • If compiling a custom kernel, reapply the commit that corrects the abort logic before building and installing the kernel.

Generated by OpenCVE AI on May 9, 2026 at 03:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 09 May 2026 02:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-665
CWE-682

Sat, 09 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-372
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Fri, 08 May 2026 18:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-665
CWE-682

Fri, 08 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: i3c: mipi-i3c-hci: Correct RING_CTRL_ABORT handling in DMA dequeue The logic used to abort the DMA ring contains several flaws: 1. The driver unconditionally issues a ring abort even when the ring has already stopped. 2. The completion used to wait for abort completion is never re-initialized, resulting in incorrect wait behavior. 3. The abort sequence unintentionally clears RING_CTRL_ENABLE, which resets hardware ring pointers and disrupts the controller state. 4. If the ring is already stopped, the abort operation should be considered successful without attempting further action. Fix the abort handling by checking whether the ring is running before issuing an abort, re-initializing the completion when needed, ensuring that RING_CTRL_ENABLE remains asserted during abort, and treating an already stopped ring as a successful condition.
Title i3c: mipi-i3c-hci: Correct RING_CTRL_ABORT handling in DMA dequeue
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-08T14:21:09.552Z

Reserved: 2026-05-01T14:12:56.004Z

Link: CVE-2026-43352

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T15:16:45.937

Modified: 2026-05-08T15:16:45.937

Link: CVE-2026-43352

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43352 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T04:00:14Z

Weaknesses