CVE-2026-31550
Description
In the Linux kernel, the following vulnerability has been resolved:
pmdomain: bcm: bcm2835-power: Increase ASB control timeout
The bcm2835_asb_control() function uses a tight polling loop to wait for the ASB bridge to acknowledge a request. During intensive workloads, this handshake intermittently fails for V3D's master ASB on BCM2711, resulting in "Failed to disable ASB master for v3d" errors during runtime PM suspend. As a consequence, the failed power-off leaves V3D in a broken state, leading to bus faults or system hangs on later accesses.
As the timeout is insufficient in some scenarios, increase the polling timeout from 1us to 5us, which is still negligible in the context of a power domain transition. Also, replace the open-coded ktime_get_ns()/ cpu_relax() polling loop with readl_poll_timeout_atomic().
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Linux kernel's BCM2835 power domain driver had an insufficient 1us polling timeout that could cause V3D GPU power-off to fail, leading to bus faults or system hangs; fixed by increasing timeout to 5us.
Vulnerability
Overview
CVE-2026-31550 describes a timing issue in the bcm2835_asb_control() function of the BCM2835 power domain driver (bcm2835-power) in the Linux kernel. The function polls the ASB (Application Specific Bridge) for an acknowledgment within a 1us timeout. Under heavy workloads on BCM2711, this tight loop can fail, especially for V3D's master ASB, resulting in an error such as "Failed to disable ASB master for v3d" during runtime PM suspend. The underlying root cause is that the timeout is insufficient for the hardware handshake to complete in all scenarios.
Exploitation
Context
The vulnerability is exploitable during runtime power management suspend operations. An attacker with local access to trigger significant GPU (V3D) workload could induce the timeout failure, potentially causing the power-off sequence to leave the V3D hardware in an inconsistent state. No special privileges beyond the ability to interact with the GPU are required, but the attack surface is local only. The affected component is a power domain driver used on Raspberry Pi 4 (BCM2711) and similar Broadcom SoCs.
Impact
A failed ASB handshake during power-off leaves the V3D block in a partially powered-down state. Subsequent access to V3D can cause bus faults, crashes, or even system hangs, leading to denial of service (DoS). The CVSS v3 score is 5.5 (Medium), reflecting the need for local access and the potential for disruption of availability. There is no evidence of data confidentiality or integrity impact.
Mitigation
The fix increases the polling timeout from 1us to 5us and replaces the open-coded ktime_get_ns()/cpu_relax() loop with the standard readl_poll_timeout_atomic() helper, improving both reliability and code clarity. The patch has been applied to the Linux kernel stable tree with commit IDs as referenced [1], [2], [3], [4]. Users should update their kernel to include this patch. No workaround is documented other than updating; the driver is not end-of-life (EOL). The issue is not known to be listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
9cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 8 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=5.1.1,<5.10.253
- cpe:2.3:o:linux:linux_kernel:5.1:-:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/0e84e74849d2d7e9b23a09c2d5e0d9357db1ca59nvdPatch
- git.kernel.org/stable/c/18605b1b936b66b1f34dcf8e9ad4f1fbcf7a7c13nvdPatch
- git.kernel.org/stable/c/572f17180f26619809b8e0593d926762aa8660ffnvdPatch
- git.kernel.org/stable/c/622ab02e955c35c125ff2b65d8327b2c52db8758nvdPatch
- git.kernel.org/stable/c/9443202d91388026dbf7312972a74fbfd27ee82fnvdPatch
- git.kernel.org/stable/c/b826d2c0b0ecb844c84431ba6b502e744f5d919anvdPatch
- git.kernel.org/stable/c/c5e734f6a0740dce92e7c919e632cb43fa5d4e53nvdPatch
- git.kernel.org/stable/c/ea4fa54b83bb2e4a21e9026824bfe271b1a6ee1envdPatch
News mentions
0No linked articles in our index yet.