CVE-2026-43081

Vulnerability

In the Linux kernel's IPA (IPA) driver, the field masks for the GENERIC_CMD register were incorrectly defined for IPA v5.0 and later. The masks did not match the hardware layout documented in the downstream GSI (GSI_V3_0_EE_n_GSI_EE_GENERIC_CMD_*) specification. This mismatch caused the driver to misinterpret the register fields, leading to incorrect command encoding.

Exploitation

The vulnerability is triggered when the IPA driver sends a "stop" command to the MPSS (Modem Processor Subsystem) remoteproc while IPA is active. No special privileges beyond the ability to trigger IPA operations are required; the issue manifests during normal system operation when the modem is stopped. The incorrect field masks cause the driver to write invalid values to the GENERIC_CMD register, which can lead to a kernel WARN (a warning trace) being emitted.

Impact

An attacker who can trigger the IPA stop sequence (e.g., by forcing a modem reset or through a crafted system call) could cause a kernel WARN, which may result in a denial of service (system instability or panic) depending on the kernel configuration. The WARN itself indicates a bug that could be leveraged for further exploitation, though the primary impact is system disruption.

Mitigation

The fix has been applied to the Linux kernel stable tree via commits [1][2][3][4]. Users should update to a kernel version containing these patches. No workaround is available other than avoiding the IPA stop sequence, which is not practical for normal operation.