Description
In the Linux kernel, the following vulnerability has been resolved:

nouveau/dpcd: return EBUSY for aux xfer if the device is asleep

If we have runtime suspended, and userspace wants to use /dev/drm_dp_*
then just tell it the device is busy instead of crashing in the GSP
code.

WARNING: CPU: 2 PID: 565741 at drivers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/rpc.c:164 r535_gsp_msgq_wait+0x9a/0xb0 [nouveau]
CPU: 2 UID: 0 PID: 565741 Comm: fwupd Not tainted 6.18.10-200.fc43.x86_64 #1 PREEMPT(lazy)
Hardware name: LENOVO 20QTS0PQ00/20QTS0PQ00, BIOS N2OET65W (1.52 ) 08/05/2024
RIP: 0010:r535_gsp_msgq_wait+0x9a/0xb0 [nouveau]

This is a simple fix to get backported. We should probably engineer a
proper power domain solution to wake up devices and keep them awake
while fw updates are happening.
Published: 2026-05-08
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The nouveau GPU driver attempted an auxiliary transfer through the /dev/drm_dp_* interface while the GPU was in a runtime suspended state. Instead of indicating that the device was unavailable, the driver sent a request to the GPU’s GSP engine, which cannot process commands when the device is asleep. This invalid operation caused the kernel to panic and terminate the operating system. The crash demonstrates a fault that can be triggered by local code exercising the /dev/drm_dp_* interface during suspend, leading to a complete system halt.

Affected Systems

All Linux kernel releases that include the nouveau driver and lack the 2026‑43381 patch are affected. The vulnerability was observed on kernel 6.18.10‑200.fc43.x86_64 and applies to other kernel versions that ship the unpatched driver, regardless of distribution or vendor. The affected kernels are listed in the provided CPEs, including kernel 7.0 rc1 and rc2 variants.

Risk and Exploitability

The CVSS score of 5.5 indicates medium severity, and the EPSS score of < 1% suggests a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, implying no widespread exploitation has been reported. Based on the description, the attack vector is local; an attacker must run code that can invoke the /dev/drm_dp_* interface while the GPU is asleep, such as a privileged process or firmware‑upgrade client. The effect is a denial of service via a kernel crash, but the lack of a remote or privilege‑escalation path reduces the overall risk compared to a high‑impact remote exploit.

Generated by OpenCVE AI on May 26, 2026 at 18:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a release that includes the patched nouveau driver.
  • If an immediate kernel update is not possible, temporarily restrict or disable access to /dev/drm_dp_* while the system is in runtime suspend or during firmware updates.
  • Configure fwupd or other firmware‑upgrade tools so that they do not access the GPU while it is asleep, or use power‑domain management to keep the GPU awake during updates.

Generated by OpenCVE AI on May 26, 2026 at 18:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4606-1 linux security update
History

Tue, 26 May 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Sat, 09 May 2026 03:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Sat, 09 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-367
References

Fri, 08 May 2026 17:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Fri, 08 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: nouveau/dpcd: return EBUSY for aux xfer if the device is asleep If we have runtime suspended, and userspace wants to use /dev/drm_dp_* then just tell it the device is busy instead of crashing in the GSP code. WARNING: CPU: 2 PID: 565741 at drivers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/rpc.c:164 r535_gsp_msgq_wait+0x9a/0xb0 [nouveau] CPU: 2 UID: 0 PID: 565741 Comm: fwupd Not tainted 6.18.10-200.fc43.x86_64 #1 PREEMPT(lazy) Hardware name: LENOVO 20QTS0PQ00/20QTS0PQ00, BIOS N2OET65W (1.52 ) 08/05/2024 RIP: 0010:r535_gsp_msgq_wait+0x9a/0xb0 [nouveau] This is a simple fix to get backported. We should probably engineer a proper power domain solution to wake up devices and keep them awake while fw updates are happening.
Title nouveau/dpcd: return EBUSY for aux xfer if the device is asleep
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:23:29.324Z

Reserved: 2026-05-01T14:12:56.006Z

Link: CVE-2026-43381

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-08T15:16:49.333

Modified: 2026-05-26T17:17:15.697

Link: CVE-2026-43381

cve-icon Redhat

Severity :

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43381 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T19:00:15Z

Weaknesses