CVE Catalog

CVE-2026-43477

MediumCVSS 5.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.11%

2th percentile - higher than 2% of all known CVEs

Summary

In the Linux kernel, a vulnerability in the i915 driver for Intel Graphics causes a potential system hang (MCE) on ICL platforms when VRR timings are configured before enabling TRANS_DDI_FUNC_CTL.

Risk Assessment

System hang may lead to data loss or service disruption, especially when using external displays via docking stations with unreliable USB-C cables.

Recommendation

Update the Linux kernel to a version containing commit 93f3a267c3dd4d811b224bb9e179a10d81456a74, which reorders VRR initialization as per BSpec guidelines.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: drm/i915/vrr: Configure VRR timings after enabling TRANS_DDI_FUNC_CTL Apparently ICL may hang with an MCE if we write TRANS_VRR_VMAX/FLIPLINE before enabling TRANS_DDI_FUNC_CTL. Personally I was only able to reproduce a hang (on an Dell XPS 7390 2-in-1) with an external display connected via a dock using a dodgy type-C cable that made the link training fail. After the failed link training the machine would hang. TGL seemed immune to the problem for whatever reason. BSpec does tell us to configure VRR after enabling TRANS_DDI_FUNC_CTL as well. The DMC firmware also does the VRR restore in two stages: - first stage seems to be unconditional and includes TRANS_VRR_CTL and a few other VRR registers, among other things - second stage is conditional on the DDI being enabled, and includes TRANS_DDI_FUNC_CTL and TRANS_VRR_VMAX/VMIN/FLIPLINE, among other things So let's reorder the steps to match to avoid the hang, and toss in an extra WARN to make sure we don't screw this up later. BSpec: 22243 (cherry picked from commit 93f3a267c3dd4d811b224bb9e179a10d81456a74)

Vulnerability data from NVD (NIST) · CISA KEV · EPSS