{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-43353", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-05-01T14:12:56.005Z", "datePublished": "2026-05-08T14:21:10.282Z", "dateUpdated": "2026-05-08T14:21:10.282Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-08T14:21:10.282Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni3c: mipi-i3c-hci: Fix race in DMA ring dequeue\n\nThe HCI DMA dequeue path (hci_dma_dequeue_xfer()) may be invoked for\nmultiple transfers that timeout around the same time. However, the\nfunction is not serialized and can race with itself.\n\nWhen a timeout occurs, hci_dma_dequeue_xfer() stops the ring, processes\nincomplete transfers, and then restarts the ring. If another timeout\ntriggers a parallel call into the same function, the two instances may\ninterfere with each other - stopping or restarting the ring at unexpected\ntimes.\n\nAdd a mutex so that hci_dma_dequeue_xfer() is serialized with respect to\nitself."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/i3c/master/mipi-i3c-hci/core.c", "drivers/i3c/master/mipi-i3c-hci/dma.c", "drivers/i3c/master/mipi-i3c-hci/hci.h"], "versions": [{"version": "9ad9a52cce2828d932ae9495181e3d6414f72c07", "lessThan": "b684b420a5bb0ea1b0e13abfdb8ce41c5266e62e", "status": "affected", "versionType": "git"}, {"version": "9ad9a52cce2828d932ae9495181e3d6414f72c07", "lessThan": "4faa1e9c67a2229f6749190aedaf88ce0391efd2", "status": "affected", "versionType": "git"}, {"version": "9ad9a52cce2828d932ae9495181e3d6414f72c07", "lessThan": "1dca8aee80eea76d2aae21265de5dd64f6ba0f09", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/i3c/master/mipi-i3c-hci/core.c", "drivers/i3c/master/mipi-i3c-hci/dma.c", "drivers/i3c/master/mipi-i3c-hci/hci.h"], "versions": [{"version": "5.11", "status": "affected"}, {"version": "0", "lessThan": "5.11", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.19", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.9", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "6.18.19"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "6.19.9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/b684b420a5bb0ea1b0e13abfdb8ce41c5266e62e"}, {"url": "https://git.kernel.org/stable/c/4faa1e9c67a2229f6749190aedaf88ce0391efd2"}, {"url": "https://git.kernel.org/stable/c/1dca8aee80eea76d2aae21265de5dd64f6ba0f09"}], "title": "i3c: mipi-i3c-hci: Fix race in DMA ring dequeue", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni3c: mipi-i3c-hci: Fix race in DMA ring dequeue\n\nThe HCI DMA dequeue path (hci_dma_dequeue_xfer()) may be invoked for\nmultiple transfers that timeout around the same time. However, the\nfunction is not serialized and can race with itself.\n\nWhen a timeout occurs, hci_dma_dequeue_xfer() stops the ring, processes\nincomplete transfers, and then restarts the ring. If another timeout\ntriggers a parallel call into the same function, the two instances may\ninterfere with each other - stopping or restarting the ring at unexpected\ntimes.\n\nAdd a mutex so that hci_dma_dequeue_xfer() is serialized with respect to\nitself."}], "id": "CVE-2026-43353", "lastModified": "2026-05-08T15:16:46.043", "metrics": {}, "published": "2026-05-08T15:16:46.043", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/1dca8aee80eea76d2aae21265de5dd64f6ba0f09"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/4faa1e9c67a2229f6749190aedaf88ce0391efd2"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/b684b420a5bb0ea1b0e13abfdb8ce41c5266e62e"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{"bugzilla": {"description": "kernel: i3c: mipi-i3c-hci: Fix race in DMA ring dequeue", "id": "2468222", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2468222"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-820", "details": ["A flaw was found in the Linux kernel's i3c: mipi-i3c-hci module. A race condition in the `hci_dma_dequeue_xfer()` function allows parallel calls to interfere with each other when multiple transfers time out concurrently. This interference can cause the DMA ring to stop or restart unexpectedly, potentially leading to system instability or a denial of service (DoS)."], "name": "CVE-2026-43353", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-05-08T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-43353\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-43353\nhttps://lore.kernel.org/linux-cve-announce/2026050823-CVE-2026-43353-06fc@gregkh/T"], "threat_severity": "Moderate"}