Description
In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Fix dc_link NULL handling in HPD init

amdgpu_dm_hpd_init() may see connectors without a valid dc_link.

The code already checks dc_link for the polling decision, but later
unconditionally dereferences it when setting up HPD interrupts.

Assign dc_link early and skip connectors where it is NULL.

Fixes the below:
drivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm_irq.c:940 amdgpu_dm_hpd_init()
error: we previously assumed 'dc_link' could be null (see line 931)

drivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm_irq.c
923 /*
924 * Analog connectors may be hot-plugged unlike other connector
925 * types that don't support HPD. Only poll analog connectors.
926 */
927 use_polling |=
928 amdgpu_dm_connector->dc_link &&
^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The patch adds this NULL check but hopefully it can be removed

929 dc_connector_supports_analog(amdgpu_dm_connector->dc_link->link_id.id);
930
931 dc_link = amdgpu_dm_connector->dc_link;

dc_link assigned here.

932
933 /*
934 * Get a base driver irq reference for hpd ints for the lifetime
935 * of dm. Note that only hpd interrupt types are registered with
936 * base driver; hpd_rx types aren't. IOW, amdgpu_irq_get/put on
937 * hpd_rx isn't available. DM currently controls hpd_rx
938 * explicitly with dc_interrupt_set()
939 */
--> 940 if (dc_link->irq_source_hpd != DC_IRQ_SOURCE_INVALID) {
^^^^^^^^^^^^^^^^^^^^^^^ If it's NULL then we are trouble because we dereference it here.

941 irq_type = dc_link->irq_source_hpd - DC_IRQ_SOURCE_HPD1;
942 /*
943 * TODO: There's a mismatch between mode_info.num_hpd
944 * and what bios reports as the # of connectors with hpd
Published: 2026-06-03
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unhandled NULL pointer dereference in the Linux kernel’s AMDGPU driver may occur during hot‑plug detection when connectors have no valid dc_link. The kernel unconditionally dereferences dc_link in amdgpu_dm_hpd_init(), which can crash the operating system, leading to a denial of service for any process depending on the GPU stack. This flaw does not provide direct code execution or data exfiltration; the impact is limited to service interruption and potential system reboot, and it is a classic kernel NULL‑dereference (CWE‑476).

Affected Systems

Linux kernel distributions that contain the upstream AMDGPU DRM driver before the patch commit. All versions of Linux kernels that include the unmodified amdgpu_dm_hpd_init() routine are susceptible until superseded by the fix; this includes commonly used releases such as 5.x and 6.x series found in mainstream distributions.

Risk and Exploitability

The vulnerability’s CVSS score is 5.5, but the EPSS score is < 1% and the issue is not listed in the CISA KEV catalog, so it has not been reported as exploited in the wild. Nevertheless, the flaw is a classic kernel NULL‑dereference (CWE‑476) that can be triggered by paths that lead the driver to initialize a connector lacking a valid dc_link. Based on the description, it is inferred that the attack vector could involve manipulating the physical connection of a display device or presenting a connector state that results in a NULL dc_link; precise exploitation conditions are omitted in the advisory.

Generated by OpenCVE AI on June 9, 2026 at 23:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the system kernel to the latest stable release that incorporates the amdgpu_dm_hpd_init() patch ensuring dc_link NULL checks are in place.
  • If you cannot upgrade immediately, disable automatic hot‑plug detection for AMDGPU devices by modifying driver configuration or using a kernel module parameter (e.g., amdgpu.enable_hpd=0) to prevent the HPD initialization path from executing.
  • If disabling hot‑plug detection is not possible, consider temporarily blacklisting the amdgpu driver module until an updated kernel is available, thereby preventing the driver from loading and avoiding the crash.

Generated by OpenCVE AI on June 9, 2026 at 23:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Thu, 04 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476
References

Wed, 03 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix dc_link NULL handling in HPD init amdgpu_dm_hpd_init() may see connectors without a valid dc_link. The code already checks dc_link for the polling decision, but later unconditionally dereferences it when setting up HPD interrupts. Assign dc_link early and skip connectors where it is NULL. Fixes the below: drivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm_irq.c:940 amdgpu_dm_hpd_init() error: we previously assumed 'dc_link' could be null (see line 931) drivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm_irq.c 923 /* 924 * Analog connectors may be hot-plugged unlike other connector 925 * types that don't support HPD. Only poll analog connectors. 926 */ 927 use_polling |= 928 amdgpu_dm_connector->dc_link && ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The patch adds this NULL check but hopefully it can be removed 929 dc_connector_supports_analog(amdgpu_dm_connector->dc_link->link_id.id); 930 931 dc_link = amdgpu_dm_connector->dc_link; dc_link assigned here. 932 933 /* 934 * Get a base driver irq reference for hpd ints for the lifetime 935 * of dm. Note that only hpd interrupt types are registered with 936 * base driver; hpd_rx types aren't. IOW, amdgpu_irq_get/put on 937 * hpd_rx isn't available. DM currently controls hpd_rx 938 * explicitly with dc_interrupt_set() 939 */ --> 940 if (dc_link->irq_source_hpd != DC_IRQ_SOURCE_INVALID) { ^^^^^^^^^^^^^^^^^^^^^^^ If it's NULL then we are trouble because we dereference it here. 941 irq_type = dc_link->irq_source_hpd - DC_IRQ_SOURCE_HPD1; 942 /* 943 * TODO: There's a mismatch between mode_info.num_hpd 944 * and what bios reports as the # of connectors with hpd
Title drm/amd/display: Fix dc_link NULL handling in HPD init
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-03T15:49:40.645Z

Reserved: 2026-05-13T15:03:33.107Z

Link: CVE-2026-46245

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-06-03T18:16:24.637

Modified: 2026-06-09T20:36:13.313

Link: CVE-2026-46245

cve-icon Redhat

Severity :

Publid Date: 2026-06-03T00:00:00Z

Links: CVE-2026-46245 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T23:45:15Z

Weaknesses