Description
In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Fix NULL deref and buffer over-read in SDP debugfs

[Why & How]
dp_sdp_message_debugfs_write() dereferences connector->base.state->crtc
without checking for NULL. A connector can be connected but not bound to
any CRTC (e.g. after hot-plug before the next atomic commit), causing a
kernel crash when writing to the sdp_message debugfs node.

The function also ignores the user-provided size argument and always
passes 36 bytes to copy_from_user(), reading past the user buffer when
size < 36.

Fix both issues by:
- Returning -ENODEV when connector->base.state or state->crtc is NULL
- Clamping write_size to min(size, sizeof(data))

(cherry picked from commit 6ab4c36a522842ff70474a1c0af2e40e50fc8300)
Published: 2026-06-25
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The defect lies in the Linux kernel’s AMD display DRM driver, where writing to the "sdp_message" debugfs entry dereferences a null connector state or reads past the user‑supplied buffer. This leads to a kernel panic that can force a system reboot. The bug does not grant code execution or privilege escalation; its primary consequence is the loss of availability for any user whose processes rely on a stable kernel.

Affected Systems

All Linux kernel builds that include the unpatched AMD display driver are vulnerable. No specific version numbers are provided, so every distribution using the kernel prior to the commit that introduced the fix must be considered at risk.

Risk and Exploitability

The attack vector is local: it requires write access to the debugfs node, which is normally restricted to privileged users. EPSS is not available and the flaw is not listed in CISA KEV, but the simplicity of the trigger and the severity of a kernel crash make this a high‑risk denial‑of‑service condition for systems where the attacker can reach the debugfs interface. No public exploits are known, yet the exploit path is trivial for an authenticated local user.

Generated by OpenCVE AI on June 25, 2026 at 11:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the kernel to a version that incorporates commit 6ab4c36a522842ff70474a1c0af2e40e50fc8300, which corrects the null dereference and enforces size bounds for the sdp_message write operation.
  • If an immediate kernel upgrade is not possible, remove or restrict access to the "sdp_message" debugfs file—for example, by unmounting debugfs or changing its permissions to deny writes from non‑root processes.
  • For environments that cannot apply a full kernel upgrade, manually cherry‑pick the commit that introduces the fix from the Linux kernel source repository and rebuild the kernel with the patch applied.

Generated by OpenCVE AI on June 25, 2026 at 11:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4664-1 linux security update
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Fri, 26 Jun 2026 12:15:00 +0000


Thu, 25 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476
CWE-787

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix NULL deref and buffer over-read in SDP debugfs [Why & How] dp_sdp_message_debugfs_write() dereferences connector->base.state->crtc without checking for NULL. A connector can be connected but not bound to any CRTC (e.g. after hot-plug before the next atomic commit), causing a kernel crash when writing to the sdp_message debugfs node. The function also ignores the user-provided size argument and always passes 36 bytes to copy_from_user(), reading past the user buffer when size < 36. Fix both issues by: - Returning -ENODEV when connector->base.state or state->crtc is NULL - Clamping write_size to min(size, sizeof(data)) (cherry picked from commit 6ab4c36a522842ff70474a1c0af2e40e50fc8300)
Title drm/amd/display: Fix NULL deref and buffer over-read in SDP debugfs
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-25T08:38:24.216Z

Reserved: 2026-06-09T07:44:35.387Z

Link: CVE-2026-53135

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity :

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-53135 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T16:15:15Z

Weaknesses