Skip to main content

Linux Kernel EUVDEUVD-2026-28629

| CVE-2026-43345 HIGH
2026-05-08 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-7657-q549-6g59
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 11, 2026 - 08:26 vuln.today
CVSS changed
May 11, 2026 - 08:22 NVD
7.5 (HIGH)
Patch available
May 08, 2026 - 15:17 EUVD
CVE Published
May 08, 2026 - 14:16 nvd
HIGH 7.5
CVE Published
May 08, 2026 - 14:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net: ipa: fix event ring index not programmed for IPA v5.0+

For IPA v5.0+, the event ring index field moved from CH_C_CNTXT_0 to CH_C_CNTXT_1. The v5.0 register definition intended to define this field in the CH_C_CNTXT_1 fmask array but used the old identifier of ERINDEX instead of CH_ERINDEX.

Without a valid event ring, GSI channels could never signal transfer completions. This caused gsi_channel_trans_quiesce() to block forever in wait_for_completion().

At least for IPA v5.2 this resolves an issue seen where runtime suspend, system suspend, and remoteproc stop all hanged forever. It also meant the IPA data path was completely non functional.

AnalysisAI

Linux Kernel versions 6.4 and later containing IPA v5.0+ hardware support experience complete data path failure and indefinite system hangs during suspend or shutdown operations due to a register field misprogramming bug. The event ring index field was incorrectly referenced using an outdated identifier (ERINDEX instead of CH_ERINDEX) in the CH_C_CNTXT_1 register definition, preventing GSI channels from signaling transfer completions. This causes gsi_channel_trans_quiesce() to block indefinitely in wait_for_completion(), resulting in runtime suspend, system suspend, and remoteproc stop operations hanging forever. Patches are available across multiple stable kernel branches (6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0). EPSS score of 0.02% indicates very low observed exploitation probability, and no active exploitation is confirmed (not in CISA KEV). The CVSS vector indicates network-accessible attack surface, though the actual impact is limited to devices with IPA v5.0+ hardware.

Technical ContextAI

The Qualcomm IPA (Internet Packet Accelerator) subsystem in the Linux kernel uses GSI (Generic Software Interface) channels for hardware-accelerated network packet processing. Starting with IPA version 5.0, the hardware register layout changed, moving the event ring index field from the CH_C_CNTXT_0 register to CH_C_CNTXT_1. The kernel driver's register field mask array (fmask) incorrectly used the legacy identifier 'ERINDEX' instead of the updated 'CH_ERINDEX' when defining this field location. Event rings are the mechanism by which the GSI hardware signals completion of DMA transfer operations to the kernel driver. Without a properly programmed event ring index, the hardware cannot notify the driver of completed transfers, causing the driver to wait indefinitely on completion events. The affected code path is in drivers/net/ipa/ and specifically impacts the channel quiesce logic that is invoked during power management transitions and modem subsystem stop operations. This is a classic register abstraction layer bug where hardware specification changes were not fully propagated through software abstraction constants.

RemediationAI

Upgrade to patched Linux kernel versions: 6.6.136 or later in the 6.6.x series, 6.12.83 or later in 6.12.x, 6.18.24 or later in 6.18.x, 6.19.14 or later in 6.19.x, or version 7.0 or later for mainline. Patch commits are available at https://git.kernel.org/stable/c/34c988bb04cbdf093d2134e179433da49ffcd044 and related stable branch commits. For systems where immediate kernel upgrade is not feasible, disable the IPA driver module (rmmod ipa) as a temporary workaround, though this will eliminate hardware-accelerated network packet processing and may significantly impact network performance or break mobile data connectivity on affected devices. If IPA functionality is essential and patching is delayed, avoid triggering suspend/resume cycles and remoteproc operations that invoke the affected code path, though this is impractical for mobile devices. There are no effective userspace or configuration-based mitigations that preserve IPA functionality. The fix involves a single-line change correcting the register field mask identifier, making backporting straightforward for custom kernel builds. Systems without Qualcomm IPA v5.0+ hardware require no action.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-28629 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy