Description
In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Fix out-of-bounds stream encoder index v3

eng_id can be negative and that stream_enc_regs[]
can be indexed out of bounds.

eng_id is used directly as an index into stream_enc_regs[], which has
only 5 entries. When eng_id is 5 (ENGINE_ID_DIGF) or negative, this can
access memory past the end of the array.

Add a bounds check using ARRAY_SIZE() before using eng_id as an index.
The unsigned cast also rejects negative values.

This avoids out-of-bounds access.

Fixes the below smatch error:
dcn*_resource.c: stream_encoder_create() may index
stream_enc_regs[eng_id] out of bounds (size 5).

drivers/gpu/drm/amd/amdgpu/../display/dc/resource/dcn351/dcn351_resource.c
1246 static struct stream_encoder *dcn35_stream_encoder_create(
1247 enum engine_id eng_id,
1248 struct dc_context *ctx)
1249 {

...

1255
1256 /* Mapping of VPG, AFMT, DME register blocks to DIO block instance */
1257 if (eng_id <= ENGINE_ID_DIGF) {

ENGINE_ID_DIGF is 5. should <= be <?

Unrelated but, ugh, why is Smatch saying that "eng_id" can be negative?
end_id is type signed long, but there are checks in the caller which prevent it from being negative.

1258 vpg_inst = eng_id;
1259 afmt_inst = eng_id;
1260 } else
1261 return NULL;
1262

...

1281
1282 dcn35_dio_stream_encoder_construct(enc1, ctx, ctx->dc_bios,
1283 eng_id, vpg, afmt,
--> 1284 &stream_enc_regs[eng_id],
^^^^^^^^^^^^^^^^^^^^^^^ This stream_enc_regs[] array has 5 elements so we are one element beyond the end of the array.

...

1287 return &enc1->base;
1288 }

v2: use explicit bounds check as suggested by Roman/Dan; avoid unsigned int cast

v3: The compiler already knows how to compare the two values, so the
cast (int) is not needed. (Roman)
Published: 2026-06-03
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel’s AMD display driver uses an engine identifier, eng_id, directly as an index into a five‑element array. When eng_id is negative or equal to five, the index is out of bounds, leading to a potential read or write beyond the allocated memory. The flaw is classified as CWE‑125 and CWE‑1285. The vulnerability may enable a locally privileged attacker to corrupt kernel memory, which could result in privilege escalation. This is inferred from the description that the access can tamper with kernel data structures, but the CVE record does not explicitly confirm escalation.

Affected Systems

All Linux kernel releases that incorporated the unpatched version of the drm/amd/display driver contain the flaw. The specific file dcn351_resource.c in the driver’s AMD GPU path shows the vulnerable indexing. Any system running a kernel version without the ARRAY_SIZE guard around eng_id is affected.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity. The EPSS score of less than 1% suggests a low likelihood of exploitation at present. The flaw is not listed in the CISA KEV catalog. Based on the driver design, the attack surface is a local process able to send commands to the GPU, providing an invalid engine identifier. This assessment is inferred from the nature of the driver and the lack of an explicit remote exploit path in the description.

Generated by OpenCVE AI on June 9, 2026 at 23:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes the AMD display driver patch adding an ARRAY_SIZE bounds check on eng_id.
  • If a kernel update is not immediately available, disable the AMD GPU driver or restrict GPU device access to trusted users to prevent untrusted processes from issuing commands that could trigger the out‑of‑bounds access.
  • Implement additional kernel hardening, such as enforcing stricter udev rules for /dev/dri devices, to limit which users can interact with the GPU driver.

Generated by OpenCVE AI on June 9, 2026 at 23:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125

Fri, 05 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 04 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-129
CWE-20

Thu, 04 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1285
References

Wed, 03 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-129
CWE-20

Wed, 03 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix out-of-bounds stream encoder index v3 eng_id can be negative and that stream_enc_regs[] can be indexed out of bounds. eng_id is used directly as an index into stream_enc_regs[], which has only 5 entries. When eng_id is 5 (ENGINE_ID_DIGF) or negative, this can access memory past the end of the array. Add a bounds check using ARRAY_SIZE() before using eng_id as an index. The unsigned cast also rejects negative values. This avoids out-of-bounds access. Fixes the below smatch error: dcn*_resource.c: stream_encoder_create() may index stream_enc_regs[eng_id] out of bounds (size 5). drivers/gpu/drm/amd/amdgpu/../display/dc/resource/dcn351/dcn351_resource.c 1246 static struct stream_encoder *dcn35_stream_encoder_create( 1247 enum engine_id eng_id, 1248 struct dc_context *ctx) 1249 { ... 1255 1256 /* Mapping of VPG, AFMT, DME register blocks to DIO block instance */ 1257 if (eng_id <= ENGINE_ID_DIGF) { ENGINE_ID_DIGF is 5. should <= be <? Unrelated but, ugh, why is Smatch saying that "eng_id" can be negative? end_id is type signed long, but there are checks in the caller which prevent it from being negative. 1258 vpg_inst = eng_id; 1259 afmt_inst = eng_id; 1260 } else 1261 return NULL; 1262 ... 1281 1282 dcn35_dio_stream_encoder_construct(enc1, ctx, ctx->dc_bios, 1283 eng_id, vpg, afmt, --> 1284 &stream_enc_regs[eng_id], ^^^^^^^^^^^^^^^^^^^^^^^ This stream_enc_regs[] array has 5 elements so we are one element beyond the end of the array. ... 1287 return &enc1->base; 1288 } v2: use explicit bounds check as suggested by Roman/Dan; avoid unsigned int cast v3: The compiler already knows how to compare the two values, so the cast (int) is not needed. (Roman)
Title drm/amd/display: Fix out-of-bounds stream encoder index v3
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-05T06:06:33.332Z

Reserved: 2026-05-13T15:03:33.108Z

Link: CVE-2026-46263

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-06-03T18:16:27.743

Modified: 2026-06-09T19:57:29.220

Link: CVE-2026-46263

cve-icon Redhat

Severity :

Publid Date: 2026-06-03T00:00:00Z

Links: CVE-2026-46263 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T23:45:15Z

Weaknesses
  • CWE-125

    Out-of-bounds Read

  • CWE-1285

    Improper Validation of Specified Index, Position, or Offset in Input