CVE-2026-43353 - Vulnerability Details

- i3c: mipi-i3c-hci: Fix race in DMA ring dequeue

Description

In the Linux kernel, the following vulnerability has been resolved:

i3c: mipi-i3c-hci: Fix race in DMA ring dequeue

The HCI DMA dequeue path (hci_dma_dequeue_xfer()) may be invoked for
multiple transfers that timeout around the same time. However, the
function is not serialized and can race with itself.

When a timeout occurs, hci_dma_dequeue_xfer() stops the ring, processes
incomplete transfers, and then restarts the ring. If another timeout
triggers a parallel call into the same function, the two instances may
interfere with each other - stopping or restarting the ring at unexpected
times.

Add a mutex so that hci_dma_dequeue_xfer() is serialized with respect to
itself.

Published: 2026-05-08

Score: 7.0 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The i3c mipi‑i3c‑hci driver in the Linux kernel contains a race condition in its DMA dequeue routine. When several data transfers time out near one another, the hci_dma_dequeue_xfer() function can run concurrently, stopping and restarting the DMA ring out of sync. This lack of serialization can leave the ring in an inconsistent state and may cause the driver to malfunction.

Affected Systems

All Linux kernel releases that include the mipi‑i3c‑hci driver but have not yet applied the commit adding a mutex around hci_dma_dequeue_xfer() are affected. Kernel versions built before these changes are at risk.

Risk and Exploitability

The flaw is confined to the kernel and would likely require an attacker with local or elevated privileges to generate simultaneous transfer timeouts, a scenario that is usually limited to trusted users or code running on the host. The CVSS score of 7.0 indicates a medium‑high severity, the EPSS score is not available, and the vulnerability is not listed in CISA KEV. Remote exploitation is unlikely without such privileges, so the overall risk for systems that expose the mipi‑i3c‑hci interface to untrusted code is moderate.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`9ad9a52cce2828d932ae9495181e3d6414f72c07`	affected	< b684b420a5bb0ea1b0e13abfdb8ce41c5266e62e
`9ad9a52cce2828d932ae9495181e3d6414f72c07`	affected	< 4faa1e9c67a2229f6749190aedaf88ce0391efd2
`9ad9a52cce2828d932ae9495181e3d6414f72c07`	affected	< 1dca8aee80eea76d2aae21265de5dd64f6ba0f09

Linux

affected

Version	Status	Constraints
`5.11`	affected	—
`0`	unaffected	< 5.11
`6.18.19`	unaffected	≤ 6.18.*
`6.19.9`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[9ad9a52cce2828d932ae9495181e3d6414f72c07,b684b420a5bb0ea1b0e13abfdb8ce41c5266e62e)`	affected	code_commit	—
`[9ad9a52cce2828d932ae9495181e3d6414f72c07,4faa1e9c67a2229f6749190aedaf88ce0391efd2)`	affected	code_commit	—
`[9ad9a52cce2828d932ae9495181e3d6414f72c07,1dca8aee80eea76d2aae21265de5dd64f6ba0f09)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`5.11`	affected	generic	—
`[0,5.11)`	unaffected	generic	—
`[6.18.19,6.19.0)`	unaffected	semver	—
`[6.19.9,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that contains the commit adding the mutex to protect hci_dma_dequeue_xfer().
If a kernel upgrade cannot be performed immediately, restrict privileged access to the mipi‑i3c‑hci driver so that only trusted code can initiate DMA operations, reducing the possibility of concurrent timeouts.
Implement monitoring or logging of DMA ring start/stop events to detect unexpected state changes that could indicate a race condition is occurring.

Generated by OpenCVE AI on May 9, 2026 at 02:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00017.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/1dca8aee80eea76d2aae21265de5dd64f6ba0f09
https://git.kernel.org/stable/c/4faa1e9c67a2229f6749190aedaf88ce0391efd2
https://git.kernel.org/stable/c/b684b420a5bb0ea1b0e13abfdb8ce41c5266e62e
https://lore.kernel.org/linux-cve-announce/2026050823-CVE-2026-43353-06fc@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-43353
https://www.cve.org/CVERecord?id=CVE-2026-43353

History

Sat, 09 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-820
References		https://lore.kernel.org/linux-cve-announce/2026050823-CVE-2026-43353-06fc@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-43353 https://www.cve.org/CVERecord?id=CVE-2026-43353
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Moderate`

Fri, 08 May 2026 19:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-362

Fri, 08 May 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: i3c: mipi-i3c-hci: Fix race in DMA ring dequeue The HCI DMA dequeue path (hci_dma_dequeue_xfer()) may be invoked for multiple transfers that timeout around the same time. However, the function is not serialized and can race with itself. When a timeout occurs, hci_dma_dequeue_xfer() stops the ring, processes incomplete transfers, and then restarts the ring. If another timeout triggers a parallel call into the same function, the two instances may interfere with each other - stopping or restarting the ring at unexpected times. Add a mutex so that hci_dma_dequeue_xfer() is serialized with respect to itself.
Title		i3c: mipi-i3c-hci: Fix race in DMA ring dequeue
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/1dca8aee80eea76d2aae21265de5dd64f6ba0f09 https://git.kernel.org/stable/c/4faa1e9c67a2229f6749190aedaf88ce0391efd2 https://git.kernel.org/stable/c/b684b420a5bb0ea1b0e13abfdb8ce41c5266e62e

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-08T14:21:10.282Z

Updated: 2026-05-08T14:21:10.282Z

Reserved: 2026-05-01T14:12:56.005Z

Link: CVE-2026-43353

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-08T15:16:46.043

Modified: 2026-05-08T15:16:46.043

Link: CVE-2026-43353

Redhat

Severity : Moderate

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43353 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-09T02:15:06Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object