CVE-2026-43381 - Vulnerability Details

- nouveau/dpcd: return EBUSY for aux xfer if the device is asleep

Description

In the Linux kernel, the following vulnerability has been resolved:

nouveau/dpcd: return EBUSY for aux xfer if the device is asleep

If we have runtime suspended, and userspace wants to use /dev/drm_dp_*
then just tell it the device is busy instead of crashing in the GSP
code.

WARNING: CPU: 2 PID: 565741 at drivers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/rpc.c:164 r535_gsp_msgq_wait+0x9a/0xb0 [nouveau]
CPU: 2 UID: 0 PID: 565741 Comm: fwupd Not tainted 6.18.10-200.fc43.x86_64 #1 PREEMPT(lazy)
Hardware name: LENOVO 20QTS0PQ00/20QTS0PQ00, BIOS N2OET65W (1.52 ) 08/05/2024
RIP: 0010:r535_gsp_msgq_wait+0x9a/0xb0 [nouveau]

This is a simple fix to get backported. We should probably engineer a
proper power domain solution to wake up devices and keep them awake
while fw updates are happening.

Published: 2026-05-08

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The nouveau driver in the Linux kernel attempted an auxiliary transfer through the /dev/drm_dp_* interface while the GPU was in a runtime suspended state. Instead of indicating that the device was unavailable, the driver sent a request to the GPU’s GSP code, a call that is invalid when the GPU is asleep, and this caused the kernel to crash. The crash results in a kernel panic, effectively shutting down the host operating system. This flaw is a classic example of a fault in proprietary code that can lead to a denial‑of‑service by corrupting the control flow of the kernel (CWE‑367).

Affected Systems

All Linux kernel releases that ship the nouveau graphics driver without the recent patch are affected. The vulnerability was demonstrated on a system running kernel 6.18.10‑200.fc43.x86_64 and applies across all distributions where this driver is present, regardless of vendor. No specific version range is claimed beyond the presence of the vulnerable code.

Risk and Exploitability

The vulnerability does not have an assigned CVSS score and the EPSS score is not available. It is not listed in CISA’s KEV catalog, indicating no large‑scale exploitation has been reported. Based on the description, the likely attack vector is local: an attacker must run code that can invoke the /dev/drm_dp_* interface while the GPU is asleep, such as a privileged process or a firmware‑upgrade client. Because the error leads to a kernel crash, the impact is high, as it can bring the entire system down and require a reboot. The lack of remote exploitation paths or elevated privilege prerequisites makes the risk lower than a remote exploit, but the potential for an unwanted system crash is still significant.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`8894f4919bc43f821775db2cfff4b917871b2102`	affected	< 178df7c91e6c202579284df9f79d1592a514cdcf
`8894f4919bc43f821775db2cfff4b917871b2102`	affected	< 4df518aa196085909fd7e32518ecd27fba60ed69
`8894f4919bc43f821775db2cfff4b917871b2102`	affected	< cd24cab2023aa46b595bc6b9cc39d8973d9d0a8c
`8894f4919bc43f821775db2cfff4b917871b2102`	affected	< fad178ae894930520519ead3c8e0150641466360
`8894f4919bc43f821775db2cfff4b917871b2102`	affected	< 6bdd2d70c338d52c387d3b3aadc596784ae81b01
`8894f4919bc43f821775db2cfff4b917871b2102`	affected	< ad8fa5bff53f5d1f8394f996850da8ce070eaee3
`8894f4919bc43f821775db2cfff4b917871b2102`	affected	< 24639553a016578222ac597db924dfb6fa5ec8b5
`8894f4919bc43f821775db2cfff4b917871b2102`	affected	< 8f3c6f08ababad2e3bdd239728cf66a9949446b4

Linux

affected

Version	Status	Constraints
`3.16`	affected	—
`0`	unaffected	< 3.16
`5.10.253`	unaffected	≤ 5.10.*
`5.15.203`	unaffected	≤ 5.15.*
`6.1.167`	unaffected	≤ 6.1.*
`6.6.130`	unaffected	≤ 6.6.*
`6.12.78`	unaffected	≤ 6.12.*
`6.18.19`	unaffected	≤ 6.18.*
`6.19.9`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[8894f4919bc43f821775db2cfff4b917871b2102,178df7c91e6c202579284df9f79d1592a514cdcf)`	affected	code_commit	—
`[8894f4919bc43f821775db2cfff4b917871b2102,24639553a016578222ac597db924dfb6fa5ec8b5)`	affected	code_commit	—
`[8894f4919bc43f821775db2cfff4b917871b2102,4df518aa196085909fd7e32518ecd27fba60ed69)`	affected	code_commit	—
`[8894f4919bc43f821775db2cfff4b917871b2102,cd24cab2023aa46b595bc6b9cc39d8973d9d0a8c)`	affected	code_commit	—
`[8894f4919bc43f821775db2cfff4b917871b2102,fad178ae894930520519ead3c8e0150641466360)`	affected	code_commit	—
`[8894f4919bc43f821775db2cfff4b917871b2102,6bdd2d70c338d52c387d3b3aadc596784ae81b01)`	affected	code_commit	—
`[8894f4919bc43f821775db2cfff4b917871b2102,ad8fa5bff53f5d1f8394f996850da8ce070eaee3)`	affected	code_commit	—
`[8894f4919bc43f821775db2cfff4b917871b2102,8f3c6f08ababad2e3bdd239728cf66a9949446b4)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`3.16`	affected	generic	—
`[0,3.16)`	unaffected	generic	—
`[5.10.253,5.11.0)`	unaffected	semver	—
`[5.15.203,5.16.0)`	unaffected	semver	—
`[6.1.167,6.2.0)`	unaffected	semver	—
`[6.6.130,6.7.0)`	unaffected	semver	—
`[6.12.78,6.13.0)`	unaffected	semver	—
`[6.18.19,6.19.0)`	unaffected	semver	—
`[6.19.9,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a release that includes the patched nouveau driver.
If an immediate kernel update is not possible, temporarily restrict or disable access to /dev/drm_dp_* while the system is in runtime suspend or during firmware updates.
Configure fwupd or other firmware‑upgrade tools so that they do not access the GPU while it is asleep, or use power‑domain management to keep the GPU awake during updates.
Monitor system logs for GSP or EBUSY errors to detect unintended accesses during sleep.

Generated by OpenCVE AI on May 9, 2026 at 05:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00024.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/178df7c91e6c202579284df9f79d1592a514cdcf
https://git.kernel.org/stable/c/24639553a016578222ac597db924dfb6fa5ec8b5
https://git.kernel.org/stable/c/4df518aa196085909fd7e32518ecd27fba60ed69
https://git.kernel.org/stable/c/6bdd2d70c338d52c387d3b3aadc596784ae81b01
https://git.kernel.org/stable/c/8f3c6f08ababad2e3bdd239728cf66a9949446b4
https://git.kernel.org/stable/c/ad8fa5bff53f5d1f8394f996850da8ce070eaee3
https://git.kernel.org/stable/c/cd24cab2023aa46b595bc6b9cc39d8973d9d0a8c
https://git.kernel.org/stable/c/fad178ae894930520519ead3c8e0150641466360
https://lore.kernel.org/linux-cve-announce/2026050833-CVE-2026-43381-e311@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-43381
https://www.cve.org/CVERecord?id=CVE-2026-43381

History

Sat, 09 May 2026 03:15:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-416

Sat, 09 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-367
References		https://lore.kernel.org/linux-cve-announce/2026050833-CVE-2026-43381-e311@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-43381 https://www.cve.org/CVERecord?id=CVE-2026-43381

Fri, 08 May 2026 17:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416

Fri, 08 May 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: nouveau/dpcd: return EBUSY for aux xfer if the device is asleep If we have runtime suspended, and userspace wants to use /dev/drm_dp_* then just tell it the device is busy instead of crashing in the GSP code. WARNING: CPU: 2 PID: 565741 at drivers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/rpc.c:164 r535_gsp_msgq_wait+0x9a/0xb0 [nouveau] CPU: 2 UID: 0 PID: 565741 Comm: fwupd Not tainted 6.18.10-200.fc43.x86_64 #1 PREEMPT(lazy) Hardware name: LENOVO 20QTS0PQ00/20QTS0PQ00, BIOS N2OET65W (1.52 ) 08/05/2024 RIP: 0010:r535_gsp_msgq_wait+0x9a/0xb0 [nouveau] This is a simple fix to get backported. We should probably engineer a proper power domain solution to wake up devices and keep them awake while fw updates are happening.
Title		nouveau/dpcd: return EBUSY for aux xfer if the device is asleep
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/178df7c91e6c202579284df9f79d1592a514cdcf https://git.kernel.org/stable/c/24639553a016578222ac597db924dfb6fa5ec8b5 https://git.kernel.org/stable/c/4df518aa196085909fd7e32518ecd27fba60ed69 https://git.kernel.org/stable/c/6bdd2d70c338d52c387d3b3aadc596784ae81b01 https://git.kernel.org/stable/c/8f3c6f08ababad2e3bdd239728cf66a9949446b4 https://git.kernel.org/stable/c/ad8fa5bff53f5d1f8394f996850da8ce070eaee3 https://git.kernel.org/stable/c/cd24cab2023aa46b595bc6b9cc39d8973d9d0a8c https://git.kernel.org/stable/c/fad178ae894930520519ead3c8e0150641466360

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-08T14:21:29.340Z

Updated: 2026-05-08T14:21:29.340Z

Reserved: 2026-05-01T14:12:56.006Z

Link: CVE-2026-43381

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-08T15:16:49.333

Modified: 2026-05-08T15:16:49.333

Link: CVE-2026-43381

Redhat

Severity :

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43381 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-09T05:45:26Z

Weaknesses

CWE-367

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object