Description
In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Clamp HDMI HDCP2 rx_id_list read to buffer size

[Why & How]
During HDCP 2.x repeater authentication over HDMI, the driver reads the
sink's RxStatus register and extracts a 10-bit message size field (max
value 1023). This value is used as the read length for the ReceiverID
list without being clamped to the size of the destination buffer
rx_id_list[177]. A malicious HDMI repeater could advertise a message
size larger than the buffer, causing an out-of-bounds write during the
I2C read.

Clamp the read length in mod_hdcp_read_rx_id_list() to the size of the
rx_id_list buffer, matching the approach already used in the DP branch.

(cherry picked from commit 229212219e4247d9486f8ba41ef087358490be09)
Published: 2026-06-25
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability occurs in the AMD Display Driver when processing HDMI HDCP 2.x repeater authentication. The driver reads a 10‑bit size field from the sink's RxStatus register and uses that value directly as the length for reading the ReceiverID list over I2C. Because the value is not clamped to the size of the destination buffer, a malicious HDMI repeater can advertise a message size larger than the buffer and trigger an out‑of‑bounds write inside the kernel. This memory corruption can be leveraged by an attacker to execute arbitrary code or crash the system with kernel privileges. Based on the description, the core weaknesses are an unvalidated length used in a write operation (CWE-120: Buffer over-read or write) and an out‑of‑bounds write (CWE-787).

Affected Systems

All Linux kernels that ship the AMD Display Driver (drm/amd/display) are affected. No specific kernel version range is listed, so any kernel containing the unpatched driver code is vulnerable.

Risk and Exploitability

The vulnerability allows an attacker who can supply a malicious HDMI source to trigger the exploit, typically over a physical HDMI connection. While the EPSS score is very low (< 1%), the absence of a mitigated path and the potential for kernel‑level exploitation make the risk high. The vulnerability is not listed in the CISA KEV catalog, but the high severity of a kernel buffer overflow warrants immediate attention. In practice, an attacker would need access to the target machine’s HDMI port and the ability to present a forged HDCP 2.x repeater banner.

Generated by OpenCVE AI on June 26, 2026 at 13:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a Linux kernel update that includes commit 229212219e4247d9486f8ba41ef087358490be09 or later to clamp the read length to the buffer size.
  • If an immediate kernel update is not possible, disable the AMD Display Driver or block HDMI input to eliminate the attack surface.
  • If hardware restrictions allow, isolate the display device by using a dedicated video bridge that does not expose the vulnerable HDCP path to untrusted sources.

Generated by OpenCVE AI on June 26, 2026 at 13:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4664-1 linux security update
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Fri, 26 Jun 2026 12:15:00 +0000


Thu, 25 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-120

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Clamp HDMI HDCP2 rx_id_list read to buffer size [Why & How] During HDCP 2.x repeater authentication over HDMI, the driver reads the sink's RxStatus register and extracts a 10-bit message size field (max value 1023). This value is used as the read length for the ReceiverID list without being clamped to the size of the destination buffer rx_id_list[177]. A malicious HDMI repeater could advertise a message size larger than the buffer, causing an out-of-bounds write during the I2C read. Clamp the read length in mod_hdcp_read_rx_id_list() to the size of the rx_id_list buffer, matching the approach already used in the DP branch. (cherry picked from commit 229212219e4247d9486f8ba41ef087358490be09)
Title drm/amd/display: Clamp HDMI HDCP2 rx_id_list read to buffer size
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-25T08:38:25.977Z

Reserved: 2026-06-09T07:44:35.387Z

Link: CVE-2026-53137

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity :

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-53137 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T13:30:16Z

Weaknesses
  • CWE-120

    Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

  • CWE-787

    Out-of-bounds Write