Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-53331

CVE-2026-53331: Linux Kernel Race Condition Vulnerability

CVE-2026-53331 is a race condition vulnerability in the Linux kernel slimbus qcom-ngd-ctrl component that can cause deadlocks. This article covers the technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2026-53331 Overview

CVE-2026-53331 is a locking order flaw in the Linux kernel's slimbus subsystem, specifically in the Qualcomm NGD (Non-Generic Device) controller driver qcom-ngd-ctrl. During Subsystem Restart (SSR) or Protection Domain Restart (PDR) down notifications, the driver acquires tx_lock and then reaches slim_report_absent(), which takes the slim_controller lock. Other code paths acquire these two locks in the opposite order, producing an ABBA locking sequence. Lockdep flags the condition and a real deadlock is possible on affected Qualcomm SoCs using slimbus peripherals such as audio codecs.

Critical Impact

A deadlock during SSR/PDR notifications can stall the slimbus subsystem, freezing audio and other peripherals dependent on the Qualcomm NGD controller.

Affected Products

  • Linux kernel slimbus subsystem (drivers/slimbus/qcom-ngd-ctrl.c)
  • Qualcomm SoC platforms using the NGD slimbus controller
  • Multiple stable kernel branches referenced by the upstream fix commits

Discovery Timeline

  • 2026-07-01 - CVE-2026-53331 published to NVD
  • 2026-07-01 - Last updated in NVD database

Technical Details for CVE-2026-53331

Vulnerability Analysis

The defect is a classic ABBA lock ordering violation [CWE-667] between two mutexes owned by the Qualcomm NGD slimbus controller: ctrl->tx_lock and ctrl->lock (the slim_controller lock). When qcom_slim_ngd_ssr_pdr_notify() receives an SSR or PDR down notification, it takes tx_lock to synchronize against active Direct Memory Access (DMA) transfers. Execution then descends into qcom_slim_ngd_down() and slim_report_absent(), which acquires the slim_controller lock while tx_lock is still held.

Elsewhere in the driver, transfer paths acquire the controller lock first and then take tx_lock. Two CPUs executing these paths concurrently can each hold one lock while waiting on the other, producing a deadlock. Lockdep reports the unsafe scenario before it deadlocks in production.

Root Cause

The root cause is inconsistent lock ordering. The SSR/PDR notification path assumed tx_lock was needed to prevent overlap with qcom_slim_ngd_exit_dma(). However, DMA transactions are initiated and completed within a single qcom_slim_ngd_xfer_msg() call. Before qcom_slim_ngd_exit_dma() runs, the slim_controller is torn down and all child devices are removed, so no concurrent DMA can occur.

Attack Vector

This is a reliability and stability defect rather than a remote exploitation primitive. The condition is triggered by SSR/PDR events, which occur when a remote processor such as the Audio DSP crashes or is intentionally restarted. A local attacker able to trigger repeated remote-processor restarts on affected hardware could induce the deadlock, resulting in a denial-of-service on slimbus-connected peripherals. No memory corruption or privilege escalation is described in the upstream commit.

The upstream fix removes the acquisition of tx_lock in qcom_slim_ngd_ssr_pdr_notify(), eliminating the inverse ordering. See the kernel commit for the applied patch.

Detection Methods for CVE-2026-53331

Indicators of Compromise

  • Kernel lockdep splat referencing &ctrl->lock and &ctrl->tx_lock from slim_qcom_ngd_ctrl
  • Task blocked messages naming qcom_slim_ngd_ssr_pdr_notify in the backtrace
  • Audio or slimbus peripheral hangs correlated with remoteproc SSR or PDR events

Detection Strategies

  • Enable CONFIG_PROVE_LOCKING on test kernels and monitor dmesg for ABBA warnings involving slimbus
  • Correlate rproc recovery events with subsequent slimbus transfer timeouts in kernel logs
  • Track kernel version and backport status across Qualcomm SoC fleets to identify unpatched builds

Monitoring Recommendations

  • Collect kernel ring buffer output centrally and alert on possible circular locking dependency messages
  • Monitor audio subsystem availability on devices where the Audio DSP undergoes routine restarts
  • Track kernel package versions against the upstream stable commits listed in the NVD references

How to Mitigate CVE-2026-53331

Immediate Actions Required

  • Update to a Linux kernel version that includes the upstream fix removing tx_lock acquisition from qcom_slim_ngd_ssr_pdr_notify()
  • Apply vendor BSP kernel updates for Qualcomm-based platforms that ship the slimbus NGD driver
  • Rebuild custom kernels against the referenced stable branches

Patch Information

The fix is distributed across multiple stable kernel branches. Refer to the upstream commits: commit 3d15615, commit 55f2ea9, commit 9708eb5, commit 9f0d45d, commit aad4337, commit d54a221, and commit dc4d5c5.

Workarounds

  • No supported workaround exists; the deadlock is only removed by kernel code changes
  • Reduce exposure by limiting scenarios that trigger repeated SSR or PDR events on affected devices
  • Disable slimbus-dependent peripherals in device tree where operationally feasible until patches are applied

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.