CVE-2026-43337 - Vulnerability Details

- drm/amd/display: Fix NULL pointer dereference in dcn401_init_hw()

Description

In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Fix NULL pointer dereference in dcn401_init_hw()

dcn401_init_hw() assumes that update_bw_bounding_box() is valid when
entering the update path. However, the existing condition:

((!fams2_enable && update_bw_bounding_box) || freq_changed)

does not guarantee this, as the freq_changed branch can evaluate to true
independently of the callback pointer.

This can result in calling update_bw_bounding_box() when it is NULL.

Fix this by separating the update condition from the pointer checks and
ensuring the callback, dc->clk_mgr, and bw_params are validated before
use.

Fixes the below:
../dc/hwss/dcn401/dcn401_hwseq.c:367 dcn401_init_hw() error: we previously assumed 'dc->res_pool->funcs->update_bw_bounding_box' could be null (see line 362)

(cherry picked from commit 86117c5ab42f21562fedb0a64bffea3ee5fcd477)

Published: 2026-05-08

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw is a NULL pointer dereference in the AMD graphics driver’s dcn401_init_hw() function, which can cause the kernel to call a null callback during hardware initialisation. This missing validation can lead to a kernel crash and potentially elevate the attacker’s privileges if local code execution is achieved.

Affected Systems

The vulnerability is present in the Linux kernel’s AMD display driver (drm/amd/display). All kernels that include the affected dcn401_init_hw() code path are at risk; no specific version numbers are given, so any unpatched kernel containing that code is vulnerable.

Risk and Exploitability

Because the defect lies in kernel space, exploitation is a local scenario that could result in denial of service or privilege escalation. The EPSS score is not available and the issue is not listed in the CISA KEV catalog, but the nature of a NULL pointer dereference in kernel code indicates a high severity risk. A successful trigger would cause a kernel panic or allow local privilege escalation if the attacker can provoke the update path, for example by changing display frequencies.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`ca0fb243c3bb53dbbd71d16c76f319bf923ee3d4`	affected	< 10c13c111d0d7f8e101c742feff264fc98e3f9f7
`ca0fb243c3bb53dbbd71d16c76f319bf923ee3d4`	affected	< 2d4a6f0702c5211e0be8b688c5fc24f082ec74d6
`ca0fb243c3bb53dbbd71d16c76f319bf923ee3d4`	affected	< e927b36ae18b66b49219eaa9f46edc7b4fdbb25e
`e13689793b9c0e7b5749954e77f5f85e68fe7138`	affected	—

Linux

affected

Version	Status	Constraints
`6.12`	affected	—
`0`	unaffected	< 6.12
`6.18.22`	unaffected	≤ 6.18.*
`6.19.12`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[ca0fb243c3bb53dbbd71d16c76f319bf923ee3d4,10c13c111d0d7f8e101c742feff264fc98e3f9f7)`	affected	code_commit	—
`[ca0fb243c3bb53dbbd71d16c76f319bf923ee3d4,2d4a6f0702c5211e0be8b688c5fc24f082ec74d6)`	affected	code_commit	—
`[ca0fb243c3bb53dbbd71d16c76f319bf923ee3d4,e927b36ae18b66b49219eaa9f46edc7b4fdbb25e)`	affected	code_commit	—
`e13689793b9c0e7b5749954e77f5f85e68fe7138`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.12`	affected	generic	—
`[0,6.12)`	unaffected	generic	—
`[6.18.22,6.19.0)`	unaffected	semver	—
`[6.19.12,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a version that includes the commit that fixes dcn401_init_hw()
If a patch cannot be applied immediately, disable the AMD display driver (e.g., set amdgpu.modeset=0 or blacklist the amdgpu module) to stop the vulnerable code path from executing
As a temporary workaround, avoid operations that trigger display frequency changes or consider switching to an alternate graphics stack until the kernel is patched

Generated by OpenCVE AI on May 8, 2026 at 18:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00017.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/10c13c111d0d7f8e101c742feff264fc98e3f9f7
https://git.kernel.org/stable/c/2d4a6f0702c5211e0be8b688c5fc24f082ec74d6
https://git.kernel.org/stable/c/e927b36ae18b66b49219eaa9f46edc7b4fdbb25e

History

Fri, 08 May 2026 19:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-476

Fri, 08 May 2026 14:00:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix NULL pointer dereference in dcn401_init_hw() dcn401_init_hw() assumes that update_bw_bounding_box() is valid when entering the update path. However, the existing condition: ((!fams2_enable && update_bw_bounding_box) \|\| freq_changed) does not guarantee this, as the freq_changed branch can evaluate to true independently of the callback pointer. This can result in calling update_bw_bounding_box() when it is NULL. Fix this by separating the update condition from the pointer checks and ensuring the callback, dc->clk_mgr, and bw_params are validated before use. Fixes the below: ../dc/hwss/dcn401/dcn401_hwseq.c:367 dcn401_init_hw() error: we previously assumed 'dc->res_pool->funcs->update_bw_bounding_box' could be null (see line 362) (cherry picked from commit 86117c5ab42f21562fedb0a64bffea3ee5fcd477)
Title		drm/amd/display: Fix NULL pointer dereference in dcn401_init_hw()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/10c13c111d0d7f8e101c742feff264fc98e3f9f7 https://git.kernel.org/stable/c/2d4a6f0702c5211e0be8b688c5fc24f082ec74d6 https://git.kernel.org/stable/c/e927b36ae18b66b49219eaa9f46edc7b4fdbb25e

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-08T13:31:22.967Z

Updated: 2026-05-08T13:31:22.967Z

Reserved: 2026-05-01T14:12:56.002Z

Link: CVE-2026-43337

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-08T14:16:43.517

Modified: 2026-05-08T14:16:43.517

Link: CVE-2026-43337

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-08T21:45:18Z

Weaknesses

CWE-476

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object