CVE-2026-43191 Overview
CVE-2026-43191 is a Linux kernel vulnerability in the AMD display driver (drm/amd/display) affecting DCN35 hardware. The flaw stems from improper PHY Finite State Machine (FSM) transitions when disabling Transition Minimized Differential Signaling (TMDS) output. The driver turns off the PHY Phase-Locked Loop (PLL) during TMDS disable, leaving the Output Timing Generator (OTG) stuck. This condition can cascade into a hang in the Display Controller Hub Virtual Memory (DCHVM) module, which fails to acknowledge invalidations because it believes the Hub Pipe (HUBP) remains active without receiving global sync.
Critical Impact
The stuck OTG state can cause an IOMMU watchdog timeout and a system hang on AMD DCN35 graphics hardware running affected Linux kernel builds.
Affected Products
- Linux kernel versions containing the drm/amd/display DCN35 driver prior to the fix
- Systems with AMD graphics hardware using DCN35 display controllers
- Distributions tracking mainline and stable Linux kernel branches that have not pulled the backport
Discovery Timeline
- 2026-05-06 - CVE-2026-43191 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-43191
Vulnerability Analysis
The issue resides in the AMD Display Core Next 3.5 (DCN35) PHY power management logic within the Direct Rendering Manager (DRM) subsystem. When the driver disables TMDS output, it turns off the PHY PLL prematurely. The OTG depends on PHY clocking to complete its disable sequence and becomes stuck waiting for clocks that never arrive.
The stuck OTG prevents the HUBP from receiving global sync. The DCHVM observes the HUBP as still active and refuses to acknowledge IOMMU invalidations. The IOMMU watchdog then times out, producing a system hang. The fix backports the DCN401 implementation, which performs an atomic TX_EN-to-PLL_ON FSM transition to ensure the PHY remains clocked through the TMDS disable path.
Root Cause
The root cause is a non-atomic PHY state transition during TMDS shutdown on DCN35. Because the original transition is not atomic, thread preemption can occur before the sequence completes, allowing the IOMMU watchdog to fire. The DCN401 fix restructures the state machine into an atomic TX_EN-to-PLL_ON step, but it could not be applied directly to DCN35 due to a functional difference in when eDP output is disabled.
Attack Vector
This vulnerability is a kernel stability defect rather than a remotely exploitable flaw. Triggering the condition requires display reconfiguration sequences that disable TMDS output on affected DCN35 hardware. The result is a denial-of-service condition through a kernel hang, not memory corruption or privilege escalation. No public exploit, proof of concept, or CISA Known Exploited Vulnerabilities listing is associated with this CVE.
No verified code examples are available for this CVE. Refer to the upstream commits for implementation details: Linux Kernel Commit 75372d75 and Linux Kernel Commit d1f7ceb00.
Detection Methods for CVE-2026-43191
Indicators of Compromise
- Kernel log entries indicating IOMMU watchdog timeouts on systems using AMD DCN35 graphics
- System hangs or display freezes occurring during display mode changes, monitor disconnects, or suspend/resume cycles
- dmesg messages referencing dcn35, OTG, or DCHVM failures to acknowledge invalidations
Detection Strategies
- Inventory Linux endpoints and servers running kernels that include the unfixed DCN35 PHY FSM code path
- Compare installed kernel versions against the stable trees containing commits 75372d75 and d1f7ceb0
- Correlate user reports of GPU-related hangs with hardware models using AMD DCN35 display controllers
Monitoring Recommendations
- Monitor /var/log/kern.log and journalctl -k for repeated IOMMU and AMDGPU error patterns on affected hardware
- Track kernel package versions across the fleet using configuration management tooling
- Alert on unexpected display subsystem resets or graphics driver reload events
How to Mitigate CVE-2026-43191
Immediate Actions Required
- Update affected systems to a Linux kernel build that includes the upstream fix from commits 75372d75 and d1f7ceb0
- Apply distribution kernel updates as soon as vendor packages incorporating the patch are available
- Prioritize remediation on workstations and laptops with AMD DCN35 graphics that experience display-related hangs
Patch Information
The fix backports the DCN401 PHY FSM transition logic to DCN35, making the TX_EN-to-PLL_ON transition atomic so the PHY PLL is not disabled before the OTG completes its shutdown sequence. The patches are upstream in the Linux kernel stable tree as commits 75372d75 and d1f7ceb0.
Workarounds
- Avoid frequent TMDS display reconfigurations on affected DCN35 systems until the kernel is patched
- Where feasible, use DisplayPort or eDP outputs instead of TMDS-based outputs such as HDMI/DVI on impacted hardware
- Pin affected systems to a known-good kernel revision until distribution updates incorporating the fix are validated
# Verify running kernel version and check for the fix
uname -r
# On Debian/Ubuntu, update the kernel package
sudo apt update && sudo apt upgrade linux-image-generic
# On RHEL/Fedora, update the kernel
sudo dnf update kernel
# Reboot to apply the patched kernel
sudo systemctl reboot
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
