Description
In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Clamp VBIOS HDMI retimer register count to array size

[Why & How]
The VBIOS integrated info tables (v1_11 and v2_1) contain HdmiRegNum and
Hdmi6GRegNum fields that are used as loop bounds when copying retimer I2C
register settings into fixed-size arrays (dp*_ext_hdmi_reg_settings[9]
and dp*_ext_hdmi_6g_reg_settings[3]). These u8 fields are not validated
before use, so a malformed VBIOS can specify values up to 255, causing an
out-of-bounds heap write during driver probe.

Clamp each register count to the destination array size using min_t()
before the copy loops, in both get_integrated_info_v11() and
get_integrated_info_v2_1().

(cherry picked from commit 5a7f0ef90195940c54b0f5bb85b87da55f038c69)
Published: 2026-06-25
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel's AMD display driver uses values from the VBIOS integrated information tables as loop bounds when copying HDMI retimer register settings into fixed‑size arrays. Because the HdmiRegNum and Hdmi6GRegNum fields are unsigned bytes that can hold values up to 255 and are not validated, a maliciously crafted VBIOS can cause the copy loops to exceed the array bounds, producing an out‑of‑bounds heap write during driver probe. This flaw involves CWE‑1284 (Incorrect Bounds Check). The resulting memory corruption can lead to privilege escalation or denial of service by executing arbitrary code in kernel mode.

Affected Systems

The vulnerability affects any Linux kernel that includes the drm/amd/display driver and that loads a VBIOS which supplies oversized register counts. The specific kernel release is not given, but the issue existed before the commit that introduced the clamp and is fixed in later releases.

Risk and Exploitability

While the EPSS score is reported as less than 1% and the vulnerability is not listed in the CISA KEV catalog, the nature of the flaw—a heap buffer overflow in kernel space—suggests a high potential impact. The required conditions, such as installing a malformed VBIOS during boot or driver initialization, indicate that the attack vector is likely local and requires privileged or physical access to the system. The lack of public exploits does not negate the risk of a future or targeted attack.

Generated by OpenCVE AI on June 26, 2026 at 16:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel version that includes the commit that clamps the HDMI register counts before copying them from the VBIOS, thereby mitigating the unchecked bounds overflow and the register count validation flaw (CWE‑1284).
  • If an immediate kernel upgrade is not possible, patch the kernel source manually by copying the fix from the commit that introduced the min_t() bounds check into the appropriate source files and rebuild the kernel, ensuring the bounds check (CWE‑1284) is enforced.
  • As a temporary measure for environments that must retain older kernels, consider preventing the loading of malformed VBIOS by enforcing BIOS validation or using firmware that does not expose the HdmiRegNum and Hdmi6GRegNum fields with invalid values, thereby reducing the risk of triggering the CWE‑1284 flaw.

Generated by OpenCVE AI on June 26, 2026 at 16:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-122

Fri, 26 Jun 2026 12:15:00 +0000


Thu, 25 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-122

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Clamp VBIOS HDMI retimer register count to array size [Why & How] The VBIOS integrated info tables (v1_11 and v2_1) contain HdmiRegNum and Hdmi6GRegNum fields that are used as loop bounds when copying retimer I2C register settings into fixed-size arrays (dp*_ext_hdmi_reg_settings[9] and dp*_ext_hdmi_6g_reg_settings[3]). These u8 fields are not validated before use, so a malformed VBIOS can specify values up to 255, causing an out-of-bounds heap write during driver probe. Clamp each register count to the destination array size using min_t() before the copy loops, in both get_integrated_info_v11() and get_integrated_info_v2_1(). (cherry picked from commit 5a7f0ef90195940c54b0f5bb85b87da55f038c69)
Title drm/amd/display: Clamp VBIOS HDMI retimer register count to array size
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-29T04:18:52.196Z

Reserved: 2026-06-09T07:44:35.387Z

Link: CVE-2026-53136

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity :

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-53136 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T16:45:03Z

Weaknesses
  • CWE-1284

    Improper Validation of Specified Quantity in Input