Description
In the Linux kernel, the following vulnerability has been resolved:

drm/i915/vrr: Configure VRR timings after enabling TRANS_DDI_FUNC_CTL

Apparently ICL may hang with an MCE if we write TRANS_VRR_VMAX/FLIPLINE
before enabling TRANS_DDI_FUNC_CTL.

Personally I was only able to reproduce a hang (on an Dell XPS 7390
2-in-1) with an external display connected via a dock using a dodgy
type-C cable that made the link training fail. After the failed
link training the machine would hang. TGL seemed immune to the
problem for whatever reason.

BSpec does tell us to configure VRR after enabling TRANS_DDI_FUNC_CTL
as well. The DMC firmware also does the VRR restore in two stages:
- first stage seems to be unconditional and includes TRANS_VRR_CTL
and a few other VRR registers, among other things
- second stage is conditional on the DDI being enabled,
and includes TRANS_DDI_FUNC_CTL and TRANS_VRR_VMAX/VMIN/FLIPLINE,
among other things

So let's reorder the steps to match to avoid the hang, and
toss in an extra WARN to make sure we don't screw this up later.

BSpec: 22243
(cherry picked from commit 93f3a267c3dd4d811b224bb9e179a10d81456a74)
Published: 2026-05-13
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The i915 Direct Rendering Manager driver in the Linux kernel incorrectly orders Video‑Ready‑Refresh registers, writing TRANS_VRR_VMAX/FLIPLINE before enabling TRANS_DDI_FUNC_CTL. This sequencing can trigger a memory‑corruption event (MCE) that causes the kernel to hang, effectively denying service to the system. The bug was observed when a display link training failed, such as when an external monitor was connected through a faulty dock cable.

Affected Systems

Linux kernel builds that contain the original i915 VRR implementation before the commit that reordered the register writes are affected. The crash was reproduced on an Intel ICL platform (Dell XPS 7390 2‑in‑1) when an external display via a dock caused link‑training failure; Intel TGL hardware did not trigger the issue, indicating the vulnerability is tied to ICL and similar hardware.

Risk and Exploitability

The CVSS score is 5.5, the EPSS score is below 1%, and the vulnerability is not listed in the CISA KEV catalog. Because the flaw resides in privileged kernel code and requires a specific display configuration that triggers link‑training failure, only local attackers who can force such a condition— for example by manipulating an external display connection or using a defective cable—could exploit it. No publicly known remote exploitation route exists.

Generated by OpenCVE AI on May 14, 2026 at 15:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel patch that reorders the VRR register writes (commit 93f3a267c3dd4d811b224bb9e179a10d81456a74) or upgrade to a kernel version that includes the fix.
  • If an immediate kernel upgrade is not possible, disable VRR functionality or avoid using external displays that can trigger link‑training failures during the transition period.
  • Use high‑quality or certified Type‑C / DisplayPort cables and avoid known problematic docking configurations to minimize the chance of a link‑training failure.

Generated by OpenCVE AI on May 14, 2026 at 15:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 14:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-760

Thu, 14 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-841
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low

Wed, 13 May 2026 18:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-760

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: drm/i915/vrr: Configure VRR timings after enabling TRANS_DDI_FUNC_CTL Apparently ICL may hang with an MCE if we write TRANS_VRR_VMAX/FLIPLINE before enabling TRANS_DDI_FUNC_CTL. Personally I was only able to reproduce a hang (on an Dell XPS 7390 2-in-1) with an external display connected via a dock using a dodgy type-C cable that made the link training fail. After the failed link training the machine would hang. TGL seemed immune to the problem for whatever reason. BSpec does tell us to configure VRR after enabling TRANS_DDI_FUNC_CTL as well. The DMC firmware also does the VRR restore in two stages: - first stage seems to be unconditional and includes TRANS_VRR_CTL and a few other VRR registers, among other things - second stage is conditional on the DDI being enabled, and includes TRANS_DDI_FUNC_CTL and TRANS_VRR_VMAX/VMIN/FLIPLINE, among other things So let's reorder the steps to match to avoid the hang, and toss in an extra WARN to make sure we don't screw this up later. BSpec: 22243 (cherry picked from commit 93f3a267c3dd4d811b224bb9e179a10d81456a74)
Title drm/i915/vrr: Configure VRR timings after enabling TRANS_DDI_FUNC_CTL
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-13T15:08:26.763Z

Reserved: 2026-05-01T14:12:56.011Z

Link: CVE-2026-43477

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-13T16:16:50.807

Modified: 2026-05-22T16:41:27.813

Link: CVE-2026-43477

cve-icon Redhat

Severity : Low

Publid Date: 2026-05-13T00:00:00Z

Links: CVE-2026-43477 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T15:30:16Z

Weaknesses