Impact
The vulnerability occurs in the AMD Display Driver when processing HDMI HDCP 2.x repeater authentication. The driver reads a 10‑bit size field from the sink's RxStatus register and uses that value directly as the length for reading the ReceiverID list over I2C. Because the value is not clamped to the size of the destination buffer, a malicious HDMI repeater can advertise a message size larger than the buffer and trigger an out‑of‑bounds write inside the kernel. This memory corruption can be leveraged by an attacker to execute arbitrary code or crash the system with kernel privileges. Based on the description, the core weaknesses are an unvalidated length used in a write operation (CWE-120: Buffer over-read or write) and an out‑of‑bounds write (CWE-787).
Affected Systems
All Linux kernels that ship the AMD Display Driver (drm/amd/display) are affected. No specific kernel version range is listed, so any kernel containing the unpatched driver code is vulnerable.
Risk and Exploitability
The vulnerability allows an attacker who can supply a malicious HDMI source to trigger the exploit, typically over a physical HDMI connection. While the EPSS score is very low (< 1%), the absence of a mitigated path and the potential for kernel‑level exploitation make the risk high. The vulnerability is not listed in the CISA KEV catalog, but the high severity of a kernel buffer overflow warrants immediate attention. In practice, an attacker would need access to the target machine’s HDMI port and the ability to present a forged HDCP 2.x repeater banner.
OpenCVE Enrichment
Debian DLA