CVE-2026-53331 Overview
CVE-2026-53331 is a locking order flaw in the Linux kernel's slimbus subsystem, specifically in the Qualcomm NGD (Non-Generic Device) controller driver qcom-ngd-ctrl. During Subsystem Restart (SSR) or Protection Domain Restart (PDR) down notifications, the driver acquires tx_lock and then reaches slim_report_absent(), which takes the slim_controller lock. Other code paths acquire these two locks in the opposite order, producing an ABBA locking sequence. Lockdep flags the condition and a real deadlock is possible on affected Qualcomm SoCs using slimbus peripherals such as audio codecs.
Critical Impact
A deadlock during SSR/PDR notifications can stall the slimbus subsystem, freezing audio and other peripherals dependent on the Qualcomm NGD controller.
Affected Products
- Linux kernel slimbus subsystem (drivers/slimbus/qcom-ngd-ctrl.c)
- Qualcomm SoC platforms using the NGD slimbus controller
- Multiple stable kernel branches referenced by the upstream fix commits
Discovery Timeline
- 2026-07-01 - CVE-2026-53331 published to NVD
- 2026-07-01 - Last updated in NVD database
Technical Details for CVE-2026-53331
Vulnerability Analysis
The defect is a classic ABBA lock ordering violation [CWE-667] between two mutexes owned by the Qualcomm NGD slimbus controller: ctrl->tx_lock and ctrl->lock (the slim_controller lock). When qcom_slim_ngd_ssr_pdr_notify() receives an SSR or PDR down notification, it takes tx_lock to synchronize against active Direct Memory Access (DMA) transfers. Execution then descends into qcom_slim_ngd_down() and slim_report_absent(), which acquires the slim_controller lock while tx_lock is still held.
Elsewhere in the driver, transfer paths acquire the controller lock first and then take tx_lock. Two CPUs executing these paths concurrently can each hold one lock while waiting on the other, producing a deadlock. Lockdep reports the unsafe scenario before it deadlocks in production.
Root Cause
The root cause is inconsistent lock ordering. The SSR/PDR notification path assumed tx_lock was needed to prevent overlap with qcom_slim_ngd_exit_dma(). However, DMA transactions are initiated and completed within a single qcom_slim_ngd_xfer_msg() call. Before qcom_slim_ngd_exit_dma() runs, the slim_controller is torn down and all child devices are removed, so no concurrent DMA can occur.
Attack Vector
This is a reliability and stability defect rather than a remote exploitation primitive. The condition is triggered by SSR/PDR events, which occur when a remote processor such as the Audio DSP crashes or is intentionally restarted. A local attacker able to trigger repeated remote-processor restarts on affected hardware could induce the deadlock, resulting in a denial-of-service on slimbus-connected peripherals. No memory corruption or privilege escalation is described in the upstream commit.
The upstream fix removes the acquisition of tx_lock in qcom_slim_ngd_ssr_pdr_notify(), eliminating the inverse ordering. See the kernel commit for the applied patch.
Detection Methods for CVE-2026-53331
Indicators of Compromise
- Kernel lockdep splat referencing &ctrl->lock and &ctrl->tx_lock from slim_qcom_ngd_ctrl
- Task blocked messages naming qcom_slim_ngd_ssr_pdr_notify in the backtrace
- Audio or slimbus peripheral hangs correlated with remoteproc SSR or PDR events
Detection Strategies
- Enable CONFIG_PROVE_LOCKING on test kernels and monitor dmesg for ABBA warnings involving slimbus
- Correlate rproc recovery events with subsequent slimbus transfer timeouts in kernel logs
- Track kernel version and backport status across Qualcomm SoC fleets to identify unpatched builds
Monitoring Recommendations
- Collect kernel ring buffer output centrally and alert on possible circular locking dependency messages
- Monitor audio subsystem availability on devices where the Audio DSP undergoes routine restarts
- Track kernel package versions against the upstream stable commits listed in the NVD references
How to Mitigate CVE-2026-53331
Immediate Actions Required
- Update to a Linux kernel version that includes the upstream fix removing tx_lock acquisition from qcom_slim_ngd_ssr_pdr_notify()
- Apply vendor BSP kernel updates for Qualcomm-based platforms that ship the slimbus NGD driver
- Rebuild custom kernels against the referenced stable branches
Patch Information
The fix is distributed across multiple stable kernel branches. Refer to the upstream commits: commit 3d15615, commit 55f2ea9, commit 9708eb5, commit 9f0d45d, commit aad4337, commit d54a221, and commit dc4d5c5.
Workarounds
- No supported workaround exists; the deadlock is only removed by kernel code changes
- Reduce exposure by limiting scenarios that trigger repeated SSR or PDR events on affected devices
- Disable slimbus-dependent peripherals in device tree where operationally feasible until patches are applied
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

