{"api_version":"1","generated_at":"2026-05-13T17:39:32+00:00","cve":"CVE-2026-43477","urls":{"html":"https://cve.report/CVE-2026-43477","api":"https://cve.report/api/cve/CVE-2026-43477.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-43477","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-43477"},"summary":{"title":"drm/i915/vrr: Configure VRR timings after enabling TRANS_DDI_FUNC_CTL","description":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/vrr: Configure VRR timings after enabling TRANS_DDI_FUNC_CTL\n\nApparently ICL may hang with an MCE if we write TRANS_VRR_VMAX/FLIPLINE\nbefore enabling TRANS_DDI_FUNC_CTL.\n\nPersonally I was only able to reproduce a hang (on an Dell XPS 7390\n2-in-1) with an external display connected via a dock using a dodgy\ntype-C cable that made the link training fail. After the failed\nlink training the machine would hang. TGL seemed immune to the\nproblem for whatever reason.\n\nBSpec does tell us to configure VRR after enabling TRANS_DDI_FUNC_CTL\nas well. The DMC firmware also does the VRR restore in two stages:\n- first stage seems to be unconditional and includes TRANS_VRR_CTL\n  and a few other VRR registers, among other things\n- second stage is conditional on the DDI being enabled,\n  and includes TRANS_DDI_FUNC_CTL and TRANS_VRR_VMAX/VMIN/FLIPLINE,\n  among other things\n\nSo let's reorder the steps to match to avoid the hang, and\ntoss in an extra WARN to make sure we don't screw this up later.\n\nBSpec: 22243\n(cherry picked from commit 93f3a267c3dd4d811b224bb9e179a10d81456a74)","state":"PUBLISHED","assigner":"Linux","published_at":"2026-05-13 16:16:50","updated_at":"2026-05-13 16:16:50"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/237aab549676288d9255bb8dcc284738e56eaa31","name":"https://git.kernel.org/stable/c/237aab549676288d9255bb8dcc284738e56eaa31","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/8a7d29b8bda144d44e61df1b2705b1d4378f4e44","name":"https://git.kernel.org/stable/c/8a7d29b8bda144d44e61df1b2705b1d4378f4e44","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/bf9e3b6ffd76da38dd4961c65d80571b25bf10a5","name":"https://git.kernel.org/stable/c/bf9e3b6ffd76da38dd4961c65d80571b25bf10a5","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-43477","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43477","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected dda7dcd9da73c5327aef42b89f0519bb51e84217 8a7d29b8bda144d44e61df1b2705b1d4378f4e44 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected dda7dcd9da73c5327aef42b89f0519bb51e84217 bf9e3b6ffd76da38dd4961c65d80571b25bf10a5 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected dda7dcd9da73c5327aef42b89f0519bb51e84217 237aab549676288d9255bb8dcc284738e56eaa31 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.16","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.16 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.20 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.19.9 6.19.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["drivers/gpu/drm/i915/display/intel_display.c","drivers/gpu/drm/i915/display/intel_vrr.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"8a7d29b8bda144d44e61df1b2705b1d4378f4e44","status":"affected","version":"dda7dcd9da73c5327aef42b89f0519bb51e84217","versionType":"git"},{"lessThan":"bf9e3b6ffd76da38dd4961c65d80571b25bf10a5","status":"affected","version":"dda7dcd9da73c5327aef42b89f0519bb51e84217","versionType":"git"},{"lessThan":"237aab549676288d9255bb8dcc284738e56eaa31","status":"affected","version":"dda7dcd9da73c5327aef42b89f0519bb51e84217","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["drivers/gpu/drm/i915/display/intel_display.c","drivers/gpu/drm/i915/display/intel_vrr.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"6.16"},{"lessThan":"6.16","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.20","versionType":"semver"},{"lessThanOrEqual":"6.19.*","status":"unaffected","version":"6.19.9","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.0","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.20","versionStartIncluding":"6.16","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.19.9","versionStartIncluding":"6.16","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0","versionStartIncluding":"6.16","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/vrr: Configure VRR timings after enabling TRANS_DDI_FUNC_CTL\n\nApparently ICL may hang with an MCE if we write TRANS_VRR_VMAX/FLIPLINE\nbefore enabling TRANS_DDI_FUNC_CTL.\n\nPersonally I was only able to reproduce a hang (on an Dell XPS 7390\n2-in-1) with an external display connected via a dock using a dodgy\ntype-C cable that made the link training fail. After the failed\nlink training the machine would hang. TGL seemed immune to the\nproblem for whatever reason.\n\nBSpec does tell us to configure VRR after enabling TRANS_DDI_FUNC_CTL\nas well. The DMC firmware also does the VRR restore in two stages:\n- first stage seems to be unconditional and includes TRANS_VRR_CTL\n  and a few other VRR registers, among other things\n- second stage is conditional on the DDI being enabled,\n  and includes TRANS_DDI_FUNC_CTL and TRANS_VRR_VMAX/VMIN/FLIPLINE,\n  among other things\n\nSo let's reorder the steps to match to avoid the hang, and\ntoss in an extra WARN to make sure we don't screw this up later.\n\nBSpec: 22243\n(cherry picked from commit 93f3a267c3dd4d811b224bb9e179a10d81456a74)"}],"providerMetadata":{"dateUpdated":"2026-05-13T15:08:26.763Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/8a7d29b8bda144d44e61df1b2705b1d4378f4e44"},{"url":"https://git.kernel.org/stable/c/bf9e3b6ffd76da38dd4961c65d80571b25bf10a5"},{"url":"https://git.kernel.org/stable/c/237aab549676288d9255bb8dcc284738e56eaa31"}],"title":"drm/i915/vrr: Configure VRR timings after enabling TRANS_DDI_FUNC_CTL","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-43477","datePublished":"2026-05-13T15:08:26.763Z","dateReserved":"2026-05-01T14:12:56.011Z","dateUpdated":"2026-05-13T15:08:26.763Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-13 16:16:50","lastModifiedDate":"2026-05-13 16:16:50","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"43477","Ordinal":"1","Title":"drm/i915/vrr: Configure VRR timings after enabling TRANS_DDI_FUN","CVE":"CVE-2026-43477","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"43477","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/vrr: Configure VRR timings after enabling TRANS_DDI_FUNC_CTL\n\nApparently ICL may hang with an MCE if we write TRANS_VRR_VMAX/FLIPLINE\nbefore enabling TRANS_DDI_FUNC_CTL.\n\nPersonally I was only able to reproduce a hang (on an Dell XPS 7390\n2-in-1) with an external display connected via a dock using a dodgy\ntype-C cable that made the link training fail. After the failed\nlink training the machine would hang. TGL seemed immune to the\nproblem for whatever reason.\n\nBSpec does tell us to configure VRR after enabling TRANS_DDI_FUNC_CTL\nas well. The DMC firmware also does the VRR restore in two stages:\n- first stage seems to be unconditional and includes TRANS_VRR_CTL\n  and a few other VRR registers, among other things\n- second stage is conditional on the DDI being enabled,\n  and includes TRANS_DDI_FUNC_CTL and TRANS_VRR_VMAX/VMIN/FLIPLINE,\n  among other things\n\nSo let's reorder the steps to match to avoid the hang, and\ntoss in an extra WARN to make sure we don't screw this up later.\n\nBSpec: 22243\n(cherry picked from commit 93f3a267c3dd4d811b224bb9e179a10d81456a74)","Type":"Description","Title":"drm/i915/vrr: Configure VRR timings after enabling TRANS_DDI_FUN"}]}}}