CVE-2026-43352 Overview
CVE-2026-43352 affects the Linux kernel i3c/mipi-i3c-hci driver. The flaw resides in the DMA dequeue logic that handles RING_CTRL_ABORT operations. The driver issues ring aborts unconditionally, fails to re-initialize the completion structure used to wait for abort completion, and unintentionally clears RING_CTRL_ENABLE during the abort sequence. These defects reset hardware ring pointers and disrupt controller state. A local authenticated attacker with low privileges can exploit the resulting condition to impact confidentiality, integrity, and availability on affected systems.
Critical Impact
Local attackers with low privileges can disrupt i3c controller state and potentially compromise kernel integrity through flawed DMA ring abort handling.
Affected Products
- Linux Kernel version 7.0-rc1
- Linux Kernel version 7.0-rc2
- Linux Kernel version 7.0-rc3
Discovery Timeline
- 2026-05-08 - CVE-2026-43352 published to NVD
- 2026-05-15 - Last updated in NVD database
Technical Details for CVE-2026-43352
Vulnerability Analysis
The vulnerability resides in the MIPI I3C Host Controller Interface (HCI) driver within the Linux kernel. The DMA dequeue path mishandles the RING_CTRL_ABORT operation. The driver unconditionally issues a ring abort even when the ring has already stopped, wasting cycles and creating undefined states.
The completion primitive used to wait for abort completion is never re-initialized between uses. Subsequent wait operations therefore observe stale state and return incorrect results. This produces erroneous control flow inside the driver.
The abort sequence also clears the RING_CTRL_ENABLE bit. Clearing this bit resets the hardware ring pointers and disrupts the controller state. Operations that depend on ring pointer continuity fail or yield inconsistent results.
Root Cause
The root cause is incorrect logic in the DMA ring abort path of i3c/mipi-i3c-hci. The code does not check whether the ring is running before issuing an abort. It mixes the abort control bit with the enable bit during register writes, and it reuses an uninitialized completion structure across multiple abort attempts.
Attack Vector
Exploitation requires local access with low privileges on a host running a vulnerable Linux kernel build that loads the mipi-i3c-hci driver. An attacker who can trigger DMA dequeue paths in the i3c controller can induce inconsistent controller state, corrupting kernel data structures and disrupting device operations.
No verified proof-of-concept code is available. See the Linux Kernel commit 003df94b for the fix details.
Detection Methods for CVE-2026-43352
Indicators of Compromise
- Unexpected kernel log entries referencing mipi-i3c-hci ring abort failures or controller resets.
- I3C devices becoming unresponsive or repeatedly re-enumerating without operator action.
- Kernel warnings or oops messages originating from the i3c subsystem during normal device I/O.
Detection Strategies
- Inventory hosts running Linux kernel versions 7.0-rc1 through 7.0-rc3 with the mipi-i3c-hci module loaded.
- Audit dmesg and journalctl -k output for repeated abort sequence errors tied to the i3c driver.
- Correlate i3c controller state resets with local user activity using endpoint telemetry.
Monitoring Recommendations
- Forward kernel logs to a centralized analytics platform and alert on mipi-i3c-hci error patterns.
- Track local privilege use on systems with i3c hardware exposed to user-space tools.
- Baseline normal i3c device behavior and alert on deviations such as frequent controller reinitialization.
How to Mitigate CVE-2026-43352
Immediate Actions Required
- Identify all systems running Linux kernel 7.0-rc1, 7.0-rc2, or 7.0-rc3 with the i3c HCI driver loaded.
- Apply the upstream fixes referenced in the kernel stable tree and rebuild affected kernels.
- Restrict local access on hosts that interact with i3c hardware until patches are deployed.
Patch Information
Fixes are available through the following upstream commits: Linux Kernel commit 003df94b, Linux Kernel commit 55496118, and Linux Kernel commit b795e68b. The patches check whether the ring is running before issuing an abort, re-initialize the completion when needed, keep RING_CTRL_ENABLE asserted during abort, and treat an already-stopped ring as a successful condition.
Workarounds
- Unload the mipi-i3c-hci kernel module on systems where i3c functionality is not required.
- Blacklist the driver via /etc/modprobe.d/ to prevent automatic load at boot.
- Limit local logon rights and remove access to i3c device nodes for non-administrative users.
# Blacklist the vulnerable driver until patches are applied
echo "blacklist mipi_i3c_hci" | sudo tee /etc/modprobe.d/cve-2026-43352.conf
sudo rmmod mipi_i3c_hci 2>/dev/null || true
sudo update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
