CVE-2026-43345 Overview
CVE-2026-43345 is a Linux kernel vulnerability in the IP Accelerator (IPA) networking driver affecting Qualcomm IPA v5.0 and later hardware. The flaw stems from an incorrect register field identifier used in the v5.0 register definition for the Generic Software Interface (GSI) channel context. Without a valid event ring index programmed, GSI channels cannot signal transfer completions. This causes gsi_channel_trans_quiesce() to block indefinitely in wait_for_completion(). The result is that runtime suspend, system suspend, and remoteproc stop operations hang forever, and the IPA data path becomes completely non-functional on affected devices.
Critical Impact
Affected systems experience a complete loss of IPA networking functionality and indefinite hangs in power management paths, producing a persistent denial-of-service condition on Qualcomm platforms using IPA v5.0+.
Affected Products
- Linux Kernel 7.0-rc1 through 7.0-rc7
- Linux Kernel branches incorporating the IPA v5.0+ driver register definitions
- Qualcomm platforms using IPA v5.0, v5.1, and v5.2 hardware
Discovery Timeline
- 2026-05-08 - CVE-2026-43345 published to NVD
- 2026-05-15 - Last updated in NVD database
Technical Details for CVE-2026-43345
Vulnerability Analysis
The vulnerability resides in the Linux kernel net: ipa driver, specifically in the register field definitions for the GSI hardware block on IPA v5.0 and later revisions. Starting with IPA v5.0, the event ring index (ERINDEX) field was relocated from the CH_C_CNTXT_0 register to the CH_C_CNTXT_1 register. The driver's v5.0 register definition attempted to define this field within the CH_C_CNTXT_1 fmask array but referenced the legacy identifier ERINDEX instead of the correct CH_ERINDEX. As a result, the event ring index is never programmed into the channel context register at runtime.
Without a valid event ring association, the GSI channel hardware has no destination for transfer completion events. Completion interrupts are never generated, and any code path waiting on a completion stalls indefinitely.
Root Cause
The root cause is a register field identifier mismatch in the IPA driver's v5.0 register layout description. The fmask entry intended to populate the new CH_ERINDEX field used the obsolete ERINDEX symbol from the pre-v5.0 layout. The driver therefore writes the event ring index using a definition that targets the wrong register field, leaving the actual CH_C_CNTXT_1.CH_ERINDEX bits uninitialized. This is a configuration and design flaw in the register definition rather than a memory safety issue, classified under [NVD-CWE-noinfo].
Attack Vector
The vulnerability triggers under normal operating conditions on any system loading the affected driver on IPA v5.0+ hardware. Although the CVSS vector lists a network attack vector, exploitation does not require a crafted network input. Any traffic or system event that exercises the IPA data path or invokes power management transitions can reach the broken code path. The result is an availability impact: indefinite blocking in gsi_channel_trans_quiesce(), a non-functional data path, and hung suspend or remoteproc operations.
No verified public exploit code or proof-of-concept exists for this vulnerability. See the upstream patches in the Linux kernel stable tree for the corrected register field definition.
Detection Methods for CVE-2026-43345
Indicators of Compromise
- Kernel tasks blocked in gsi_channel_trans_quiesce() or wait_for_completion() visible in /proc/<pid>/stack and dmesg hung-task warnings.
- Runtime suspend, system suspend, or remoteproc stop operations that never complete on Qualcomm IPA-enabled platforms.
- Loss of cellular or modem data connectivity with the IPA driver loaded and no traffic transiting GSI channels.
Detection Strategies
- Inspect the running kernel version with uname -r and confirm whether it predates the upstream fix commits referenced in the vendor advisories.
- Enable kernel hung-task detection (kernel.hung_task_timeout_secs) and review dmesg for stalls referencing GSI or IPA functions.
- Audit fleet inventory of devices using Qualcomm IPA v5.0, v5.1, and v5.2 hardware against the patched kernel commit hashes.
Monitoring Recommendations
- Forward kernel logs to a centralized logging platform and alert on hung-task warnings referencing gsi_ or ipa_ symbols.
- Track power management telemetry for suspend cycles that exceed expected duration thresholds on mobile or embedded fleets.
- Monitor IPA throughput counters and flag interfaces where the data path remains idle while link state is up.
How to Mitigate CVE-2026-43345
Immediate Actions Required
- Update to a Linux kernel build that incorporates the upstream fix from the stable tree commits listed in the vendor advisories.
- For vendor or downstream kernels, backport the register field identifier correction that replaces ERINDEX with CH_ERINDEX in the CH_C_CNTXT_1 fmask array.
- Reboot affected systems after patching to clear any tasks already blocked in wait_for_completion().
Patch Information
Fixes are available in the upstream Linux kernel stable tree. Refer to the relevant commits: 2bf18b643c46, 2d2dc166d551, 34c988bb04cb, 56007972c0b1, and ae8343a19ccb. Distribution maintainers should pick up these commits in their stable kernel releases.
Workarounds
- No reliable software workaround exists because the defect prevents the IPA data path from initializing correctly.
- On platforms where the IPA driver is not required, blacklist or unload the ipa module to avoid the hang in power management code paths.
- Disable runtime suspend and remoteproc stop operations on affected devices until a patched kernel is deployed, accepting the resulting power consumption impact.
# Verify kernel version and IPA module status before applying patched kernel
uname -r
lsmod | grep -i ipa
dmesg | grep -Ei 'gsi|ipa|hung_task'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
