Skip to main content

Linux Kernel IPA EUVDEUVD-2026-27572

| CVE-2026-43081 MEDIUM
2026-05-06 Linux GHSA-hp6x-xhc2-mhhc
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 01, 2026 - 19:46 vuln.today
CVSS changed
Jun 01, 2026 - 17:37 NVD
5.5 (MEDIUM)
Patch available
May 06, 2026 - 11:31 EUVD
CVE Published
May 06, 2026 - 07:40 nvd
MEDIUM 5.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net: ipa: fix GENERIC_CMD register field masks for IPA v5.0+

Fix the field masks to match the hardware layout documented in downstream GSI (GSI_V3_0_EE_n_GSI_EE_GENERIC_CMD_*).

Notably this fixes a WARN I was seeing when I tried to send "stop" to the MPSS remoteproc while IPA was up.

AnalysisAI

Incorrect GENERIC_CMD register field masks in the Linux kernel's IPA (IP Accelerator) network driver for IPA v5.0+ hardware trigger a kernel WARN when a 'stop' command is sent to the MPSS (Modem Processor SubSystem) remoteproc while IPA is active. This availability-only vulnerability (CVSS C:N/I:N/A:H) affects authenticated local users on systems with Qualcomm IPA v5.0+ silicon. No public exploit exists and no KEV listing is present; with an EPSS of 0.02% this is a low-urgency stability fix rather than an active threat.

Technical ContextAI

The IPA (IP Accelerator) is a hardware block found in Qualcomm SoCs that performs hardware-accelerated network packet processing, controlled through the GSI (Generic Software Interface). The GSI_V3_0_EE_n_GSI_EE_GENERIC_CMD register governs command dispatch to IPA hardware endpoints. The affected code in the Linux kernel's net/ipa driver used incorrect bitmask definitions for this register when targeting IPA v5.0+ hardware, meaning command fields were written to wrong bit positions. This mismatch between driver expectations and silicon layout causes a kernel WARN - a runtime assertion failure - when the MPSS remoteproc receives a 'stop' instruction while IPA is actively processing. The CWE is not formally classified in the provided data, but the root cause class is an off-by-one or misaligned bitmask (logic error in hardware register abstraction). Affected CPE: cpe:2.3:a:linux:linux covering kernel versions introduced at commit faf0678ec8a0aa9039d8b188d012206abd67dd5c through the respective stable-series fix commits.

RemediationAI

The primary fix is upgrading to a patched Linux kernel stable release: 6.6.136, 6.12.83, 6.18.24, 6.19.14, or 7.0 and later. Upstream fix commits are available at https://git.kernel.org/stable/c/9709b56d908acc120fe8b4ae250b3c9d749ea832 (one branch), https://git.kernel.org/stable/c/bafc45ea30d297002750396d5f10e3018bf2cd60, https://git.kernel.org/stable/c/2aa50d2c1f631b405849da246043c6f683af7489, https://git.kernel.org/stable/c/a7d326dfb13b5a0763eccfd78836fe15199fc499, and https://git.kernel.org/stable/c/d1c66396796f23f7201b1addf06f62515035354d. As a compensating control on systems that cannot immediately patch, administrators may restrict local user privileges to prevent unprivileged processes from issuing remoteproc control commands (typically requires CAP_SYS_ADMIN or equivalent); this trades off legitimate modem management capability but prevents triggering the WARN condition. Disabling IPA hardware acceleration (if configurable via kernel boot parameters or module options) would also prevent the crash path but at the cost of network throughput on the affected SoC. Distribution vendors shipping kernels for Qualcomm-based platforms should be consulted for backported patches.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-27572 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy