CVE-2026-43477

Source
https://cve.org/CVERecord?id=CVE-2026-43477
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-43477.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-43477
Downstream
Published
2026-05-13T15:08:26.763Z
Modified
2026-07-15T01:49:15.618714092Z
Summary
drm/i915/vrr: Configure VRR timings after enabling TRANS_DDI_FUNC_CTL
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/i915/vrr: Configure VRR timings after enabling TRANSDDIFUNC_CTL

Apparently ICL may hang with an MCE if we write TRANSVRRVMAX/FLIPLINE before enabling TRANSDDIFUNC_CTL.

Personally I was only able to reproduce a hang (on an Dell XPS 7390 2-in-1) with an external display connected via a dock using a dodgy type-C cable that made the link training fail. After the failed link training the machine would hang. TGL seemed immune to the problem for whatever reason.

BSpec does tell us to configure VRR after enabling TRANSDDIFUNCCTL as well. The DMC firmware also does the VRR restore in two stages: - first stage seems to be unconditional and includes TRANSVRRCTL and a few other VRR registers, among other things - second stage is conditional on the DDI being enabled, and includes TRANSDDIFUNCCTL and TRANSVRRVMAX/VMIN/FLIPLINE, among other things

So let's reorder the steps to match to avoid the hang, and toss in an extra WARN to make sure we don't screw this up later.

BSpec: 22243 (cherry picked from commit 93f3a267c3dd4d811b224bb9e179a10d81456a74)

Database specific
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43477.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
dda7dcd9da73c5327aef42b89f0519bb51e84217
Fixed
8a7d29b8bda144d44e61df1b2705b1d4378f4e44
Fixed
bf9e3b6ffd76da38dd4961c65d80571b25bf10a5
Fixed
237aab549676288d9255bb8dcc284738e56eaa31

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-43477.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.16.0
Fixed
6.18.20
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
6.19.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-43477.json"