CVE-2026-43352

Description

In the Linux kernel, the following vulnerability has been resolved: i3c: mipi-i3c-hci: Correct RING_CTRL_ABORT handling in DMA dequeue The logic used to abort the DMA ring contains several flaws: 1. The driver unconditionally issues a ring abort even when the ring has already stopped. 2. The completion used to wait for abort completion is never re-initialized, resulting in incorrect wait behavior. 3. The abort sequence unintentionally clears RING_CTRL_ENABLE, which resets hardware ring pointers and disrupts the controller state. 4. If the ring is already stopped, the abort operation should be considered successful without attempting further action. Fix the abort handling by checking whether the ring is running before issuing an abort, re-initializing the completion when needed, ensuring that RING_CTRL_ENABLE remains asserted during abort, and treating an already stopped ring as a successful condition.

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Linux Kernel (versions prior to commit 003df94bcc92)

Linux Kernel (versions prior to commit 5549611888f5)

Linux Kernel (versions prior to commit b795e68bf307)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

/*
 * Conceptual PoC for CVE-2026-43352
 * Triggering the RING_CTRL_ABORT logic flaw in i3c: mipi-i3c-hci
 */
#include <linux/module.h>
#include <linux/i3c/master.h>

static int __init trigger_poc(void) {
    // In a real exploit scenario, this module would interact with
    // the I3C HCI device to force the DMA ring into a state
    // where the abort logic is triggered erroneously.
    // This involves sending specific I3C commands that cause
    // the DMA dequeue path to execute.
    
    // Trigger condition: Call abort on a stopped ring or rely on
    // uninitialized completion to cause a hang/crash.
    printk(KERN_ALERT "CVE-2026-43352: Triggering I3C HCI DMA abort flaw\n");
    
    // Exploit logic would go here to manipulate Ring Control registers
    // and observe the incorrect clearing of RING_CTRL_ENABLE.
    return 0;
}

static void __exit exit_poc(void) {
    printk(KERN_ALERT "CVE-2026-43352: Unloading module\n");
}

module_init(trigger_poc);
module_exit(exit_poc);
MODULE_LICENSE("GPL");

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-43352
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-43352
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-43352/
[4] VulDB https://vuldb.com/cve/CVE-2026-43352
[5] https://git.kernel.org/stable/c/003df94bcc9227e8e930abd03ac7f63ac10033dc
[6] https://git.kernel.org/stable/c/5549611888f5ca2db5e8e692b57f30626ddf9898
[7] https://git.kernel.org/stable/c/b795e68bf3073d67bebbb5a44d93f49efc5b8cc7

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-43352", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-08T15:16:45.937", "lastModified": "2026-05-11T08:16:10.917", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni3c: mipi-i3c-hci: Correct RING_CTRL_ABORT handling in DMA dequeue\n\nThe logic used to abort the DMA ring contains several flaws:\n\n 1. The driver unconditionally issues a ring abort even when the ring has\n    already stopped.\n 2. The completion used to wait for abort completion is never\n    re-initialized, resulting in incorrect wait behavior.\n 3. The abort sequence unintentionally clears RING_CTRL_ENABLE, which\n    resets hardware ring pointers and disrupts the controller state.\n 4. If the ring is already stopped, the abort operation should be\n    considered successful without attempting further action.\n\nFix the abort handling by checking whether the ring is running before\nissuing an abort, re-initializing the completion when needed, ensuring that\nRING_CTRL_ENABLE remains asserted during abort, and treating an already\nstopped ring as a successful condition."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "references": [{"url": "https://git.kernel.org/stable/c/003df94bcc9227e8e930abd03ac7f63ac10033dc", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5549611888f5ca2db5e8e692b57f30626ddf9898", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b795e68bf3073d67bebbb5a44d93f49efc5b8cc7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}