Skip to main content

Linux Kernel EUVDEUVD-2026-27355

| CVE-2026-43061 MEDIUM
Improper Locking (CWE-667)
2026-05-05 Linux
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 29, 2026 - 21:01 vuln.today
CVSS changed
May 29, 2026 - 18:37 NVD
5.5 (MEDIUM)
Patch available
May 05, 2026 - 17:01 EUVD
CVE Published
May 05, 2026 - 15:17 nvd
MEDIUM 5.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

serial: 8250: Fix TX deadlock when using DMA

dmaengine_terminate_async does not guarantee that the __dma_tx_complete callback will run. The callback is currently the only place where dma->tx_running gets cleared. If the transaction is canceled and the callback never runs, then dma->tx_running will never get cleared and we will never schedule new TX DMA transactions again.

This change makes it so we clear dma->tx_running after we terminate the DMA transaction. This is "safe" because serial8250_tx_dma_flush is holding the UART port lock. The first thing the callback does is also grab the UART port lock, so access to dma->tx_running is serialized.

AnalysisAI

TX deadlock in the Linux kernel's 8250 serial UART driver permanently blocks DMA transmissions when a DMA transaction is terminated without its completion callback executing. Specifically, dmaengine_terminate_async does not guarantee that __dma_tx_complete runs, leaving dma->tx_running permanently set and preventing any subsequent TX DMA scheduling. This availability-only denial-of-service (CVSS A:H) requires local low-privileged access and only manifests on systems with 8250 UART hardware operating in DMA mode; no public exploit exists and no KEV listing is present.

Technical ContextAI

The flaw resides in the Linux kernel's serial/8250 driver DMA TX path (drivers/tty/serial/8250/8250_dma.c). CWE-667 (Improper Locking) identifies the root cause: a state-management race where the dma->tx_running boolean's lifecycle was incorrectly delegated entirely to the __dma_tx_complete callback. The serial8250_tx_dma_flush function holds the UART port lock while invoking dmaengine_terminate_async, but the DMA engine API contract does not guarantee callback execution on async cancellation. Because the callback is also the sole site where dma->tx_running is cleared, a missed callback permanently wedges the flag, starving all future TX DMA scheduling. The fix relocates the flag clearance to the post-termination window while the port lock is still held, enforcing serialized, deterministic state transitions. Affected CPE: cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:* across multiple stable branches as enumerated in EUVD-2026-27355.

RemediationAI

Upgrade to a patched Linux kernel stable release: 5.10.253+ for the 5.10 LTS branch, 5.15.203+ for the 5.15 LTS branch, 6.1.167+ for the 6.1 LTS branch, 6.6.130+ for the 6.6 LTS branch, 6.12.78+ for the 6.12 LTS branch, 6.18.20+ for the 6.18 branch, 6.19.10+ for the 6.19 branch, or 7.0+ for mainline. Upstream stable fix commits are available at https://git.kernel.org/stable/c/8190f9ab6ad90cb97652adbebd238b874a4ef70d and parallel backports listed in the CVE references (commits 79a19bd9, f76d9127, d2719a0a, 2a72403b, 5f6b1756, b5ad8873, a424a34b). For systems where an immediate kernel upgrade is not feasible, disabling DMA mode on the 8250 UART driver - either by not loading the serial_8250_dma module or by disabling DMA in kernel configuration - eliminates the vulnerable code path entirely. The trade-off is a reversion to PIO-based serial transmission, which reduces throughput and increases CPU utilization for serial-heavy workloads but has no security implication.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-27355 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy