CVE-2026-43353 Overview
CVE-2026-43353 is a race condition vulnerability in the Linux kernel's i3c MIPI I3C Host Controller Interface (HCI) driver. The flaw resides in the hci_dma_dequeue_xfer() function, which handles transfer timeouts on the HCI DMA ring. The function is not serialized and can race with itself when multiple transfers time out concurrently. Parallel invocations may stop or restart the DMA ring at unexpected times, corrupting driver state. The vulnerability is classified under [CWE-362] (Concurrent Execution using Shared Resource with Improper Synchronization). It affects Linux kernel versions including 7.0-rc1, 7.0-rc2, and 7.0-rc3.
Critical Impact
Local attackers with low privileges can trigger concurrent DMA dequeue paths, leading to driver state corruption that impacts confidentiality, integrity, and availability on affected systems.
Affected Products
- Linux Kernel 7.0-rc1
- Linux Kernel 7.0-rc2
- Linux Kernel 7.0-rc3
Discovery Timeline
- 2026-05-08 - CVE-2026-43353 published to NVD
- 2026-05-15 - Last updated in NVD database
Technical Details for CVE-2026-43353
Vulnerability Analysis
The vulnerability exists in the MIPI I3C HCI driver path responsible for cleaning up DMA transfers that fail to complete within their timeout window. When hci_dma_dequeue_xfer() is invoked, it stops the DMA ring, walks incomplete transfers, processes them, and then restarts the ring. The function assumes single-threaded execution but lacks any locking primitive to enforce that assumption.
When several outstanding transfers time out within a narrow window, the kernel can dispatch parallel calls into hci_dma_dequeue_xfer() from different timeout contexts. The two instances then operate on the same ring state without coordination. One caller can restart the ring while another still expects it to be stopped, leaving the controller in an inconsistent state and corrupting the transfer queue accounting.
Root Cause
The root cause is a missing synchronization primitive around a critical section that mutates shared DMA ring state. The fix introduces a mutex so that hci_dma_dequeue_xfer() is serialized with respect to itself, ensuring that ring stop, processing, and restart steps complete atomically.
Attack Vector
Exploitation requires local access with low privileges on a system that exposes the MIPI I3C HCI driver to user-influenced workloads. An attacker who can induce transfer timeouts on the I3C bus can race the unserialized cleanup path to corrupt driver state. The vulnerability is not network reachable and requires no user interaction. The resulting state corruption can disrupt device communication and may be leveraged to undermine system integrity. See the kernel commit fix for the technical patch details.
Detection Methods for CVE-2026-43353
Indicators of Compromise
- Kernel log entries from the mipi-i3c-hci driver indicating repeated transfer timeouts or unexpected ring state transitions.
- Soft lockups, hung tasks, or warnings originating from the i3c subsystem in dmesg output.
- Unexplained I3C device communication failures coinciding with high transfer volume.
Detection Strategies
- Audit running kernel versions across Linux fleets and flag systems built on 7.0-rc1 through 7.0-rc3 that include the unpatched i3c HCI driver.
- Correlate mipi-i3c-hci driver error events with periods of elevated I3C bus activity to surface race-related anomalies.
- Enable kernel lockdep and KCSAN on test systems to detect data races in the i3c dequeue path during validation.
Monitoring Recommendations
- Forward kernel ring buffer events to a centralized log pipeline and alert on i3c subsystem warnings.
- Monitor for kernel panics or driver resets tied to the mipi-i3c-hci module across production hosts.
- Track patch deployment status for stable kernel updates referenced in the vendor advisory.
How to Mitigate CVE-2026-43353
Immediate Actions Required
- Apply the upstream kernel patches referenced in the stable tree commits as soon as distribution updates are available.
- Inventory systems running Linux kernel 7.0-rc1, 7.0-rc2, or 7.0-rc3 and prioritize them for patching.
- Restrict local access to systems exposing the MIPI I3C HCI controller until patches are deployed.
Patch Information
The fix adds a mutex to serialize hci_dma_dequeue_xfer() against itself. Three stable tree commits address the issue: 1dca8aee80ee, 4faa1e9c67a2, and b684b420a5bb. Rebuild and reboot affected kernels after applying the patch.
Workarounds
- Where the I3C controller is not required, blacklist the mipi-i3c-hci module to remove the vulnerable code path from the running kernel.
- Limit physical and logical access to hosts that expose I3C peripherals to reduce the local attack surface.
- Pin production deployments to released stable kernels rather than 7.0 release candidates until the fix is broadly available.
# Blacklist the vulnerable driver where not required
echo "blacklist mipi-i3c-hci" | sudo tee /etc/modprobe.d/blacklist-mipi-i3c-hci.conf
sudo update-initramfs -u
sudo reboot
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
