CVE-2026-43363 Overview
CVE-2026-43363 is a Linux kernel vulnerability in the x86 Advanced Programmable Interrupt Controller (APIC) subsystem. The flaw occurs during system resume from suspend-to-RAM (s2ram). Firmware may re-enable x2apic mode after a wake event even when the kernel disabled x2apic during boot due to missing IRQ remapping support or other reasons. The kernel continues using the xapic interface while the hardware operates in x2apic mode, causing the system to hang.
The issue affects bare metal systems running defconfig kernels and triggers reliably on s2ram cycles. It is tracked as a local availability issue in the linux:linux_kernel component.
Critical Impact
Local users can trigger a system hang following resume from S2/S3 sleep states, denying availability on affected x86 systems with mismatched x2apic firmware and kernel state.
Affected Products
- Linux kernel (multiple stable branches prior to fix commits)
- Linux kernel 7.0-rc1, 7.0-rc2, 7.0-rc3 release candidates
- Bare metal x86 systems using defconfig with s2ram enabled
Discovery Timeline
- 2026-05-08 - CVE-2026-43363 published to NVD
- 2026-05-15 - Last updated in NVD database
Technical Details for CVE-2026-43363
Vulnerability Analysis
The vulnerability resides in the local APIC (lapic) resume path on x86 platforms. During boot, the kernel may disable x2apic mode when interrupt remapping is unavailable or otherwise unsupported, falling back to the legacy xapic interface. The kernel tracks this decision through the x2apic_mode variable.
When the system enters S2 or S3 sleep and later resumes, platform firmware restores the pre-sleep or initial boot CPU configuration as permitted by the ACPI v6.6 specification, Section 16.3. If x2apic was part of the initial boot configuration, firmware re-enables x2apic mode in the APIC base MSR before handing control back to the kernel. The kernel's lapic_resume() routine previously did not reconcile this state, leaving the hardware in x2apic mode while kernel code continued issuing memory-mapped xapic accesses.
The mismatch causes interrupt delivery to fail and the CPU to hang. The fix updates lapic_resume() to explicitly disable x2apic when x2apic_mode = 0, restoring the kernel-expected configuration on wake.
Root Cause
The root cause is a kernel-firmware state synchronization gap. The kernel did not validate APIC mode on resume, assuming firmware preserved the pre-sleep configuration the kernel had established. ACPI permits restoration of either pre-sleep or initial boot CPU MSR state, so platforms may re-enable x2apic legitimately. This is classified under [NVD-CWE-noinfo].
Attack Vector
Exploitation requires local access with low privileges to initiate a suspend-to-RAM cycle. No user interaction beyond triggering suspend or resume is needed. The impact is limited to availability through a system hang. Confidentiality and integrity are not affected. The vulnerability does not enable code execution or privilege escalation.
The issue manifests deterministically on affected hardware configurations where firmware re-enables x2apic on resume. See the upstream commits referenced below for the resolved code path.
Detection Methods for CVE-2026-43363
Indicators of Compromise
- System hangs or unresponsive console immediately following resume from suspend-to-RAM on x86 bare metal hosts.
- Kernel logs showing x2apic disabled at boot followed by APIC delivery errors after a resume event.
- Repeated requirement for hard power cycles to recover from S2/S3 wake on defconfig kernels.
Detection Strategies
- Audit kernel boot logs for Disabling x2apic or x2apic disabled messages combined with subsequent suspend/resume cycles.
- Inspect /sys/firmware/acpi and dmesg after resume to confirm APIC mode consistency between kernel state and hardware MSR IA32_APIC_BASE.
- Compare running kernel version against the fixed commits listed in the vendor advisories to identify exposure on managed Linux fleets.
Monitoring Recommendations
- Collect kernel crash and hang telemetry from endpoints performing frequent suspend/resume cycles, such as laptops and workstations.
- Track kernel package versions across the fleet and flag hosts running pre-patch builds of the Linux kernel.
- Alert on unexpected reboots or watchdog-triggered resets following ACPI wake events.
How to Mitigate CVE-2026-43363
Immediate Actions Required
- Update the Linux kernel to a version containing the upstream fix from one of the referenced stable commits.
- Prioritize patching bare metal x86 endpoints and servers that rely on suspend-to-RAM functionality.
- Validate that distribution-provided kernel updates include the lapic_resume() x2apic reconciliation change.
Patch Information
The fix is available across multiple Linux stable branches. Apply the appropriate commit from the kernel.org references: Kernel Commit 11712c4, Kernel Commit 1a85f84, Kernel Commit 1d8440c, Kernel Commit 3dd0812, Kernel Commit 8cc7dd7, Kernel Commit 965289b, Kernel Commit a6ad6f2, and Kernel Commit f591938. Consult the ACPI v6.6 specification, Section 16.3 for the firmware behavior context.
Workarounds
- Disable suspend-to-RAM on affected hosts by masking the suspend.target systemd unit until the kernel is patched.
- Boot with the nox2apic kernel parameter on systems where IRQ remapping is unavailable to ensure consistent xapic mode across boot and resume.
- Enable interrupt remapping in firmware where supported so the kernel retains x2apic mode and avoids the mismatched-state condition.
# Configuration example: disable suspend until patched
sudo systemctl mask suspend.target sleep.target hibernate.target hybrid-sleep.target
# Alternative: force xapic mode via kernel command line in /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet splash nox2apic"
sudo update-grub
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
