Description
In the Linux kernel, the following vulnerability has been resolved:

i3c: mipi-i3c-hci: Fix race in DMA ring dequeue

The HCI DMA dequeue path (hci_dma_dequeue_xfer()) may be invoked for
multiple transfers that timeout around the same time. However, the
function is not serialized and can race with itself.

When a timeout occurs, hci_dma_dequeue_xfer() stops the ring, processes
incomplete transfers, and then restarts the ring. If another timeout
triggers a parallel call into the same function, the two instances may
interfere with each other - stopping or restarting the ring at unexpected
times.

Add a mutex so that hci_dma_dequeue_xfer() is serialized with respect to
itself.
Published: 2026-05-08
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The mipi-i3c-hci driver in the Linux kernel contains a race condition in its DMA dequeue routine. When multiple data transfers time out simultaneously, hci_dma_dequeue_xfer() can run concurrently, stopping and restarting the DMA ring out of sync. This lack of serialization can leave the ring in an inconsistent state, potentially causing the driver to malfunction or restart, which corresponds to CWE-362 (Race Condition) and CWE-820 (Failure to Synchronize).

Affected Systems

Linux kernel releases that include the mipi‑i3c‑hci driver before the commit that adds a mutex around hci_dma_dequeue_xfer() are affected. This includes all standard builds of the kernel and the 7.0 release candidates RC1, RC2, and RC3 listed in the CPE data.

Risk and Exploitability

The flaw is confined to the kernel and would likely require an attacker with local or elevated privileges to orchestrate simultaneous DMA timeouts. The CVSS score of 7.8 indicates medium‑high severity, while an EPSS score of < 1 % points to a very low probability of exploitation. The vulnerability is not listed in CISA KEV. Remote exploitation is unlikely without such privileges, making the overall risk moderate for systems that expose the mipi‑i3c‑hci interface to untrusted code.

Generated by OpenCVE AI on May 15, 2026 at 21:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a Linux kernel version that includes the mutex fix for hci_dma_dequeue_xfer()
  • If a kernel upgrade cannot be performed immediately, disable the mipi‑i3c‑hci driver or restrict privileged access to the device to prevent malicious DMA operations
  • Implement monitoring or logging of DMA ring start/stop events to detect unexpected state changes that could indicate a race condition is occurring

Generated by OpenCVE AI on May 15, 2026 at 21:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*

Mon, 11 May 2026 09:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362

Mon, 11 May 2026 07:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Sat, 09 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-820
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Fri, 08 May 2026 19:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362

Fri, 08 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: i3c: mipi-i3c-hci: Fix race in DMA ring dequeue The HCI DMA dequeue path (hci_dma_dequeue_xfer()) may be invoked for multiple transfers that timeout around the same time. However, the function is not serialized and can race with itself. When a timeout occurs, hci_dma_dequeue_xfer() stops the ring, processes incomplete transfers, and then restarts the ring. If another timeout triggers a parallel call into the same function, the two instances may interfere with each other - stopping or restarting the ring at unexpected times. Add a mutex so that hci_dma_dequeue_xfer() is serialized with respect to itself.
Title i3c: mipi-i3c-hci: Fix race in DMA ring dequeue
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:22:56.101Z

Reserved: 2026-05-01T14:12:56.005Z

Link: CVE-2026-43353

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-08T15:16:46.043

Modified: 2026-05-15T19:22:40.040

Link: CVE-2026-43353

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43353 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T21:30:08Z

Weaknesses