PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43477 Linux CVE debrief

CVE-2026-43477 describes a Linux kernel i915 graphics driver issue where Variable Refresh Rate (VRR) timing registers could be programmed before enabling TRANS_DDI_FUNC_CTL. According to the source description, that ordering can cause a hang and, on affected systems, may surface as an MCE-like failure. The upstream fix reorders the steps so VRR timings are configured only after the DDI function control is enabled.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-13
Original CVE updated
2026-05-13
Advisory published
2026-05-13
Advisory updated
2026-05-13

Who should care

Administrators and users running Linux systems with Intel integrated graphics, especially those using the i915 driver, external displays, docks, USB-C display paths, or VRR-capable monitor setups. Kernel maintainers and distro security teams should also care because the issue is in display-pipeline state handling.

Technical summary

The reported defect is an ordering bug in i915 VRR restore/configuration logic. The CVE description states that writing TRANS_VRR_VMAX and TRANS_VRR_FLIPLINE before enabling TRANS_DDI_FUNC_CTL can hang Ice Lake-class hardware. The fix follows the documented BSpec guidance and the DMC firmware’s two-stage restore pattern by enabling the DDI function control first, then programming the VRR timing registers. A WARN was added to help prevent regressions.

Defensive priority

Medium. The issue appears to be a stability and availability problem rather than a code-execution flaw, but it can hard-hang affected systems and may be triggered in real-world display scenarios involving failed link training.

Recommended defensive actions

  • Apply kernel updates that include the i915 VRR ordering fix from the referenced stable commits.
  • Prioritize patching systems that use Intel graphics with external monitors, docks, or USB-C display adapters, especially where VRR is enabled or display link training issues are observed.
  • Monitor for unexplained hangs during display hotplug, resume, or failed link-training events on affected hardware.
  • If you maintain kernel-based fleets, verify that your downstream kernel includes the reordered VRR restore path and the added warning guard.
  • Track distro advisories and vendor kernel backports for the stable fixes referenced by the CVE.

Evidence notes

All substantive findings here come from the CVE description and the linked official references. The source text explicitly says the fix is to configure VRR timings after enabling TRANS_DDI_FUNC_CTL, notes a hang on an Dell XPS 7390 2-in-1 with an external display and failing type-C cable during link training, and states that Tiger Lake appeared immune in the reporter’s testing. No CVSS metrics were present in the supplied source. Vendor mapping in the provided metadata is low-confidence, so this debrief treats the affected component as the Linux kernel i915 DRM driver rather than asserting a standalone product vendor.

Official resources

CVE record published 2026-05-13T16:16:50.807Z and last modified the same time in the supplied source data.