PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43381 Linux CVE debrief

A vulnerability in the Linux kernel's nouveau driver for NVIDIA GPUs allows local users to trigger a kernel crash when attempting DisplayPort AUX channel transfers while the GPU is in a runtime-suspended (asleep) state. The issue occurs because the driver fails to check power state before initiating GSP (GPU System Processor) RPC operations, leading to a NULL pointer dereference or use-after-free in the GSP message queue wait routine. The vulnerability is triggered when userspace applications such as fwupd attempt to access /dev/drm_dp_* device nodes while the GPU is power-managed. The fix introduces a power state check in the DPCD (DisplayPort Configuration Data) AUX transfer path, returning -EBUSY when the device is asleep rather than proceeding with the transfer. This is a defensive fix; the commit message notes that a proper power domain solution for waking devices during firmware updates is still needed.

Vendor
Linux
Product
Unknown
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-08
Original CVE updated
2026-05-26
Advisory published
2026-05-08
Advisory updated
2026-05-26

Who should care

Linux desktop and workstation administrators running NVIDIA hardware with nouveau driver; users of firmware update tools (fwupd) on hybrid graphics laptops; kernel maintainers for distributions shipping affected kernel versions; security teams monitoring for local denial-of-service conditions on multi-user systems

Technical summary

The nouveau open-source NVIDIA driver contains a race condition between runtime power management and DisplayPort AUX channel access. When userspace opens /dev/drm_dp_* device nodes to perform DDC/CI or DisplayPort configuration operations, the driver initiates GSP RPC calls without verifying the GPU is powered on. The r535_gsp_msgq_wait function dereferences invalid state, triggering a kernel WARNING and potential crash. The vulnerability affects systems with Turing and newer NVIDIA GPUs that use the GSP firmware architecture. The fix adds a power state check in nvkm_dp_aux_xfer, returning -EBUSY when pm_runtime_suspended() is true, preventing the crash. Affected kernel versions span from 3.16 through 6.19.9 and 7.0-rc1/rc2.

Defensive priority

medium

Recommended defensive actions

  • Apply the appropriate stable kernel patch for your kernel version: 5.10.253 or later for 5.10.x series, 5.15.203 or later for 5.15.x series, 6.1.167 or later for 6.1.x series, 6.6.130 or later for 6.6.x series, 6.12.78或或
  • Upgrade to kernel 6.18.19 or later, or 6.19.9 or later, or 7.0-rc3 or later
  • For systems running 7.0-rc1 or 7.0-rc2, upgrade to a later release candidate
  • If immediate patching is not possible, avoid running DisplayPort-related userspace tools (such as fwupd) while the GPU is in a power-managed state
  • Monitor kernel logs for nouveau GSP-related warnings as indicators of attempted exploitation

Evidence notes

The vulnerability description and patch references are sourced from the official NVD record. The crash signature r535_gsp_msgq_wait+0x9a/0xb0 is explicitly documented in the CVE description. Multiple stable kernel patches are available across affected branches. The CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H indicates local attack vector with low complexity, requiring low privileges, resulting in high availability impact.

Official resources

2026-05-08