CVE-2026-43302 Overview
CVE-2026-43302 affects the Linux kernel's Direct Rendering Manager (DRM) driver for the Broadcom VideoCore V3D GPU. The drm/v3d driver fails to set the max_seg_size DMA parameter, causing the kernel to default to a 64KB limit. When CONFIG_DMA_API_DEBUG is enabled, the kernel emits warnings whenever the V3D driver maps scatter-gather segments larger than this default. The issue surfaces on platforms such as the Raspberry Pi 5 during V3D rendering operations triggered by graphical workloads like Xorg.
Critical Impact
A local low-privileged user with access to the V3D rendering device can trigger DMA debug warnings that may degrade availability on affected systems.
Affected Products
- Linux Kernel (multiple stable branches prior to fixes referenced in git.kernel.org commits)
- Systems using the drm/v3d driver, including Raspberry Pi 4 and Raspberry Pi 5
- Yocto-based and embedded Linux distributions shipping vulnerable kernel versions
Discovery Timeline
- 2026-05-08 - CVE-2026-43302 published to NVD
- 2026-05-15 - Last updated in NVD database
Technical Details for CVE-2026-43302
Vulnerability Analysis
The vulnerability resides in the V3D DRM driver's buffer object initialization path. When the driver maps a scatter-gather table for GPU buffer objects through drm_gem_shmem_get_pages_sgt() and subsequently dma_map_sgtable(), the underlying DMA debug subsystem validates each segment against the device's declared maximum segment size. Because the V3D driver does not call dma_set_max_seg_size() during probe, the device inherits the kernel default of 64KB. Real V3D buffer objects routinely exceed this size, as shown by the warning where a segment of 8,290,304 bytes is mapped against the 65,536 byte default.
The issue maps to [CWE-131] (Incorrect Calculation of Buffer Size). The fix sets max_seg_size to the maximum value, preventing debug_dma_map_sg() from emitting WARN messages during normal V3D operation.
Root Cause
The V3D driver omits an explicit call to configure the DMA segment size for its device. Without that configuration, the DMA mapping helpers treat any scatter-gather segment larger than 64KB as a programming error and emit a kernel WARNING. The driver itself is functionally capable of handling larger segments, but it never communicates this capability to the DMA layer.
Attack Vector
Exploitation requires local access and the ability to issue ioctl calls to the V3D device, typically /dev/dri/renderD128. A local user invoking v3d_create_bo_ioctl with buffer sizes exceeding 64KB causes dma_map_sgtable to walk segments that exceed max_seg_size. Each violation triggers a kernel WARNING through debug_dma_map_sg+0x330/0x388. Repeated invocations can flood kernel logs and impact system availability on affected hosts.
The vulnerability only triggers when CONFIG_DMA_API_DEBUG is enabled, which is typical for development and embedded debug builds but not standard for production kernels.
Detection Methods for CVE-2026-43302
Indicators of Compromise
- Kernel log entries containing DMA-API: v3d ... mapping sg segment longer than device claims to support
- WARNING: CPU: ... debug_dma_map_sg+0x330/0x388 stack traces in dmesg
- Call traces referencing v3d_bo_create_finish and v3d_create_bo_ioctl followed by DMA debug warnings
- Unusual log volume growth on systems with V3D hardware and CONFIG_DMA_API_DEBUG enabled
Detection Strategies
- Monitor dmesg and /var/log/kern.log for debug_dma_map_sg warnings tied to the v3d driver
- Audit running kernel configurations with zcat /proc/config.gz | grep DMA_API_DEBUG to identify systems exposed to the warning condition
- Track kernel version against the fixed commits referenced in the kernel.org advisories to identify unpatched builds
Monitoring Recommendations
- Forward kernel logs to a centralized logging or SIEM platform and alert on repeated DMA-API: v3d warnings from a single host
- Establish baselines for kernel WARNING frequency on Raspberry Pi 5 and similar V3D-equipped fleets
- Review process accounting for unexpected use of /dev/dri/renderD* devices by non-graphical users
How to Mitigate CVE-2026-43302
Immediate Actions Required
- Update the Linux kernel to a stable release containing one of the fixes referenced in the Kernel Git Commit 0290934d or Kernel Git Commit db15f469
- Inventory all systems running the drm/v3d driver, particularly Raspberry Pi 4 and 5 devices
- Restrict access to /dev/dri/renderD* nodes to trusted users and processes
Patch Information
The upstream fix adds a call to set the maximum DMA segment size during V3D driver initialization. Backports are available across multiple stable branches via the following commits: Kernel Git Commit 14d0d6c8, Kernel Git Commit 225023e3, Kernel Git Commit 2663ef70, Kernel Git Commit 9eb01882, and Kernel Git Commit cf510785.
Workarounds
- Disable CONFIG_DMA_API_DEBUG in production kernel builds to suppress the WARN path until patching is feasible
- Restrict membership of the video and render groups so only required users can issue V3D ioctls
- Rate-limit kernel logs using sysctl kernel.printk_ratelimit to reduce impact of warning floods
# Verify whether the running kernel includes DMA API debug support
zcat /proc/config.gz | grep CONFIG_DMA_API_DEBUG
# Inspect recent kernel logs for V3D DMA segment warnings
dmesg | grep -E 'v3d.*mapping sg segment|debug_dma_map_sg'
# Confirm the active v3d driver module version after patching
modinfo v3d | grep -E 'filename|version|srcversion'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
