CVE-2026-43477 (GCVE-0-2026-43477)

Vulnerability from cvelistv5 – Published: 2026-05-13 15:08 – Updated: 2026-05-13 15:08
VLAI?
Title
drm/i915/vrr: Configure VRR timings after enabling TRANS_DDI_FUNC_CTL
Summary
In the Linux kernel, the following vulnerability has been resolved: drm/i915/vrr: Configure VRR timings after enabling TRANS_DDI_FUNC_CTL Apparently ICL may hang with an MCE if we write TRANS_VRR_VMAX/FLIPLINE before enabling TRANS_DDI_FUNC_CTL. Personally I was only able to reproduce a hang (on an Dell XPS 7390 2-in-1) with an external display connected via a dock using a dodgy type-C cable that made the link training fail. After the failed link training the machine would hang. TGL seemed immune to the problem for whatever reason. BSpec does tell us to configure VRR after enabling TRANS_DDI_FUNC_CTL as well. The DMC firmware also does the VRR restore in two stages: - first stage seems to be unconditional and includes TRANS_VRR_CTL and a few other VRR registers, among other things - second stage is conditional on the DDI being enabled, and includes TRANS_DDI_FUNC_CTL and TRANS_VRR_VMAX/VMIN/FLIPLINE, among other things So let's reorder the steps to match to avoid the hang, and toss in an extra WARN to make sure we don't screw this up later. BSpec: 22243 (cherry picked from commit 93f3a267c3dd4d811b224bb9e179a10d81456a74)
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: dda7dcd9da73c5327aef42b89f0519bb51e84217 , < 8a7d29b8bda144d44e61df1b2705b1d4378f4e44 (git)
Affected: dda7dcd9da73c5327aef42b89f0519bb51e84217 , < bf9e3b6ffd76da38dd4961c65d80571b25bf10a5 (git)
Affected: dda7dcd9da73c5327aef42b89f0519bb51e84217 , < 237aab549676288d9255bb8dcc284738e56eaa31 (git)
Create a notification for this product.
Linux Linux Affected: 6.16
Unaffected: 0 , < 6.16 (semver)
Unaffected: 6.18.20 , ≤ 6.18.* (semver)
Unaffected: 6.19.9 , ≤ 6.19.* (semver)
Unaffected: 7.0 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/i915/display/intel_display.c",
            "drivers/gpu/drm/i915/display/intel_vrr.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "8a7d29b8bda144d44e61df1b2705b1d4378f4e44",
              "status": "affected",
              "version": "dda7dcd9da73c5327aef42b89f0519bb51e84217",
              "versionType": "git"
            },
            {
              "lessThan": "bf9e3b6ffd76da38dd4961c65d80571b25bf10a5",
              "status": "affected",
              "version": "dda7dcd9da73c5327aef42b89f0519bb51e84217",
              "versionType": "git"
            },
            {
              "lessThan": "237aab549676288d9255bb8dcc284738e56eaa31",
              "status": "affected",
              "version": "dda7dcd9da73c5327aef42b89f0519bb51e84217",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/i915/display/intel_display.c",
            "drivers/gpu/drm/i915/display/intel_vrr.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.16"
            },
            {
              "lessThan": "6.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.20",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.20",
                  "versionStartIncluding": "6.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.9",
                  "versionStartIncluding": "6.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "6.16",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/vrr: Configure VRR timings after enabling TRANS_DDI_FUNC_CTL\n\nApparently ICL may hang with an MCE if we write TRANS_VRR_VMAX/FLIPLINE\nbefore enabling TRANS_DDI_FUNC_CTL.\n\nPersonally I was only able to reproduce a hang (on an Dell XPS 7390\n2-in-1) with an external display connected via a dock using a dodgy\ntype-C cable that made the link training fail. After the failed\nlink training the machine would hang. TGL seemed immune to the\nproblem for whatever reason.\n\nBSpec does tell us to configure VRR after enabling TRANS_DDI_FUNC_CTL\nas well. The DMC firmware also does the VRR restore in two stages:\n- first stage seems to be unconditional and includes TRANS_VRR_CTL\n  and a few other VRR registers, among other things\n- second stage is conditional on the DDI being enabled,\n  and includes TRANS_DDI_FUNC_CTL and TRANS_VRR_VMAX/VMIN/FLIPLINE,\n  among other things\n\nSo let\u0027s reorder the steps to match to avoid the hang, and\ntoss in an extra WARN to make sure we don\u0027t screw this up later.\n\nBSpec: 22243\n(cherry picked from commit 93f3a267c3dd4d811b224bb9e179a10d81456a74)"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-13T15:08:26.763Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/8a7d29b8bda144d44e61df1b2705b1d4378f4e44"
        },
        {
          "url": "https://git.kernel.org/stable/c/bf9e3b6ffd76da38dd4961c65d80571b25bf10a5"
        },
        {
          "url": "https://git.kernel.org/stable/c/237aab549676288d9255bb8dcc284738e56eaa31"
        }
      ],
      "title": "drm/i915/vrr: Configure VRR timings after enabling TRANS_DDI_FUNC_CTL",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-43477",
    "datePublished": "2026-05-13T15:08:26.763Z",
    "dateReserved": "2026-05-01T14:12:56.011Z",
    "dateUpdated": "2026-05-13T15:08:26.763Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-43477",
      "date": "2026-05-21",
      "epss": "0.00022",
      "percentile": "0.06225"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-43477\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-05-13T16:16:50.807\",\"lastModified\":\"2026-05-13T16:16:50.807\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/i915/vrr: Configure VRR timings after enabling TRANS_DDI_FUNC_CTL\\n\\nApparently ICL may hang with an MCE if we write TRANS_VRR_VMAX/FLIPLINE\\nbefore enabling TRANS_DDI_FUNC_CTL.\\n\\nPersonally I was only able to reproduce a hang (on an Dell XPS 7390\\n2-in-1) with an external display connected via a dock using a dodgy\\ntype-C cable that made the link training fail. After the failed\\nlink training the machine would hang. TGL seemed immune to the\\nproblem for whatever reason.\\n\\nBSpec does tell us to configure VRR after enabling TRANS_DDI_FUNC_CTL\\nas well. The DMC firmware also does the VRR restore in two stages:\\n- first stage seems to be unconditional and includes TRANS_VRR_CTL\\n  and a few other VRR registers, among other things\\n- second stage is conditional on the DDI being enabled,\\n  and includes TRANS_DDI_FUNC_CTL and TRANS_VRR_VMAX/VMIN/FLIPLINE,\\n  among other things\\n\\nSo let\u0027s reorder the steps to match to avoid the hang, and\\ntoss in an extra WARN to make sure we don\u0027t screw this up later.\\n\\nBSpec: 22243\\n(cherry picked from commit 93f3a267c3dd4d811b224bb9e179a10d81456a74)\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/237aab549676288d9255bb8dcc284738e56eaa31\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/8a7d29b8bda144d44e61df1b2705b1d4378f4e44\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/bf9e3b6ffd76da38dd4961c65d80571b25bf10a5\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.