CVE-2026-43061
Description
In the Linux kernel, the following vulnerability has been resolved:
serial: 8250: Fix TX deadlock when using DMA
dmaengine_terminate_async does not guarantee that the __dma_tx_complete callback will run. The callback is currently the only place where dma->tx_running gets cleared. If the transaction is canceled and the callback never runs, then dma->tx_running will never get cleared and we will never schedule new TX DMA transactions again.
This change makes it so we clear dma->tx_running after we terminate the DMA transaction. This is "safe" because serial8250_tx_dma_flush is holding the UART port lock. The first thing the callback does is also grab the UART port lock, so access to dma->tx_running is serialized.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A TX deadlock in Linux kernel serial 8250 driver with DMA occurs when dmaengine_terminate_async fails to clear tx_running, blocking future TX DMA.
Vulnerability
In the Linux kernel's serial 8250 driver, when DMA is used for transmission, the function dmaengine_terminate_async does not guarantee that the callback __dma_tx_complete will run. The callback is the only place where the flag dma->tx_running gets cleared. If a DMA transaction is canceled and the callback never executes, dma->tx_running remains set, causing a deadlock where no new TX DMA transactions can be scheduled.
Exploitation
The deadlock is triggered when a DMA transaction is canceled (e.g., by flushing the DMA queue) and the termination callback fails to run. The attacker requires local access to the serial port to initiate a DMA transfer and then cancel it, potentially through normal system operations. No special privileges are needed if the serial port is accessible to unprivileged users.
Impact
Once dma->tx_running is stuck, the serial port's DMA-based transmission permanently stops. This leads to a denial of service (DoS) of the serial output, which can disrupt console logging, modem communications, or any application relying on high-speed serial I/O. In critical systems, the loss of serial console may hinder debugging or system recovery.
Mitigation
The fix clears dma->tx_running immediately after terminating the DMA transaction while holding the UART port lock, ensuring serialized access. The patch has been committed to the stable kernel tree. Users should apply the kernel update containing the commit to resolve the vulnerability.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/2a72403b985aea6b4aac3171830492f9a387f9e1nvd
- git.kernel.org/stable/c/5f6b17562f03fc65c7d3474ef8f1959b19d1ca41nvd
- git.kernel.org/stable/c/79a19bd936bb35f56ef0ccab1b3b59ebce8c762dnvd
- git.kernel.org/stable/c/8190f9ab6ad90cb97652adbebd238b874a4ef70dnvd
- git.kernel.org/stable/c/a424a34b8faddf97b5af41689087e7a230f79ba7nvd
- git.kernel.org/stable/c/b5ad887339503103d0fbe9827b16ad287597c275nvd
- git.kernel.org/stable/c/d2719a0a9c3439abf67843a5504b7afccd9ded93nvd
- git.kernel.org/stable/c/f76d91271bcacbd759a2e4ee3ea61faa6a727ccfnvd
News mentions
0No linked articles in our index yet.