VYPR
← All advisories
Unrated severityNVD Advisory· Published May 13, 2026

CVE-2026-43477

CVE-2026-43477

Description

In the Linux kernel, the following vulnerability has been resolved:

drm/i915/vrr: Configure VRR timings after enabling TRANS_DDI_FUNC_CTL

Apparently ICL may hang with an MCE if we write TRANS_VRR_VMAX/FLIPLINE before enabling TRANS_DDI_FUNC_CTL.

Personally I was only able to reproduce a hang (on an Dell XPS 7390 2-in-1) with an external display connected via a dock using a dodgy type-C cable that made the link training fail. After the failed link training the machine would hang. TGL seemed immune to the problem for whatever reason.

BSpec does tell us to configure VRR after enabling TRANS_DDI_FUNC_CTL as well. The DMC firmware also does the VRR restore in two stages: - first stage seems to be unconditional and includes TRANS_VRR_CTL and a few other VRR registers, among other things - second stage is conditional on the DDI being enabled, and includes TRANS_DDI_FUNC_CTL and TRANS_VRR_VMAX/VMIN/FLIPLINE, among other things

So let's reorder the steps to match to avoid the hang, and toss in an extra WARN to make sure we don't screw this up later.

BSpec: 22243 (cherry picked from commit 93f3a267c3dd4d811b224bb9e179a10d81456a74)

Patches

3
237aab549676
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitvia nvd-ref
commit
bf9e3b6ffd76
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitvia nvd-ref
commit
8a7d29b8bda1
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitvia nvd-ref
commit

Vulnerability mechanics

Root cause

"Writing VRR timing registers (TRANS_VRR_VMAX/FLIPLINE) before TRANS_DDI_FUNC_CTL is enabled can cause a machine check hang on ICL platforms."

Attack vector

An attacker with physical or local access can trigger this bug by connecting an external display via a dock with a faulty Type-C cable that causes link training to fail. The hang occurs during the display mode-setting sequence when VRR registers are programmed in the wrong order relative to TRANS_DDI_FUNC_CTL. The vulnerability is triggered through normal display hotplug or mode change operations, not through a crafted payload. No authentication is required beyond the ability to connect a display device.

Affected code

The vulnerability affects the VRR timing initialization path in the i915 DRM driver for Intel graphics. The relevant code is in intel_vrr.c where intel_vrr_set_transcoder_timings() is called, and in the display mode-setting sequence where the order of intel_ddi_enable_transcoder_func() and VRR register writes is determined. The patch modifies the call site to ensure TRANS_VRR_VMAX/FLIPLINE are written after TRANS_DDI_FUNC_CTL is enabled.

What the fix does

The patch [patch_id=424578] moves the VRR timing configuration (intel_vrr_set_transcoder_timings) to occur after intel_ddi_enable_transcoder_func() has been called, matching the ordering required by BSpec 22243. Previously VRR timings were configured before the DDI function control was enabled, which could cause a machine check hang on ICL. An extra WARN_ON is added to ensure future code changes do not reintroduce the incorrect ordering.

Preconditions

  • inputExternal display connected via a dock with a faulty Type-C cable that causes link training to fail
  • configVRR (Variable Refresh Rate) must be enabled on the display configuration
  • networkNo network access required; physical or local access to connect a display is sufficient

Generated on May 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.