Description
In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Bound VBIOS record-chain walk loops

[Why & How]
All record-chain walk loops in bios_parser.c and bios_parser2.c use
for(;;) and only terminate on a 0xFF record_type sentinel or zero
record_size. A malformed VBIOS image missing the terminator record
causes unbounded iteration at probe time, potentially hundreds of
thousands of iterations with record_size=1. In the final iterations
near the BIOS image boundary, struct casts beyond the 2-byte header
validated by GET_IMAGE can also read out of bounds.

Cap all 14 record-chain walk loops to BIOS_MAX_NUM_RECORD (256)
iterations. The atombios.h defines up to 22 distinct record types
and atomfirmware.h has 13. Assuming an average of less than 10
records per type (which is reasonable since most are connector-
based) 256 is a generous upper bound.

(cherry picked from commit 95700a3d660287ed657d6892f7be9ffc0e294a93)
Published: 2026-06-25
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A malformed VBIOS image lacking the terminating record_type sentinel causes the Linux kernel’s AMD display DRM subsystem to iterate record‑chain loops without bound. The unbounded traversal may result in hundreds of thousands of iterations, and the final passes near the image boundary perform struct casts that read beyond the verified 2‑byte header. This out‑of‑bounds read can expose kernel memory contents, and the excessive looping can bring down the kernel, resulting in a denial of service or potential information disclosure.

Affected Systems

All Linux kernel releases that contain the drm/amd/display code before the patch introduced in commit 95700a3d660287ed657d6892f7be9ffc0e294a93 are affected. Any distribution shipping a kernel prior to this commit is therefore vulnerable, regardless of distribution or hardware vendor, as the flaw resides in the upstream kernel tree.

Risk and Exploitability

Based on the description, it is inferred that exploitation requires a custom or tampered VBIOS image supplied to an AMD GPU during device initialization. The scenario is limited to contexts where an attacker can influence the GPU firmware—such as during manufacturing, firmware updates, or by inserting a malicious BIOS image. The EPSS score is below 1 %, there is no public exploit, and the vulnerability is not listed in CISA KEV, indicating a very low probability of real‑world exploitation. Nonetheless, the impact—a kernel crash or information leak—becomes high in environments where untrusted BIOS images can be loaded.

Generated by OpenCVE AI on June 26, 2026 at 16:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes commit 95700a3d660287ed657d6892f7be9ffc0e294a93 (or later).
  • Configure the system and firmware to load only signed or otherwise validated AMD GPU VBIOS images; block any custom or unverified BIOS uploads.
  • Monitor kernel log files for signs of panics or failures during AMD GPU initialization and apply vendor firmware or driver updates as soon as they become available.

Generated by OpenCVE AI on June 26, 2026 at 16:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 04 Jul 2026 12:15:00 +0000


Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-400

Fri, 26 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
References
Metrics threat_severity

None

threat_severity

Moderate


Thu, 25 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-400

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Bound VBIOS record-chain walk loops [Why & How] All record-chain walk loops in bios_parser.c and bios_parser2.c use for(;;) and only terminate on a 0xFF record_type sentinel or zero record_size. A malformed VBIOS image missing the terminator record causes unbounded iteration at probe time, potentially hundreds of thousands of iterations with record_size=1. In the final iterations near the BIOS image boundary, struct casts beyond the 2-byte header validated by GET_IMAGE can also read out of bounds. Cap all 14 record-chain walk loops to BIOS_MAX_NUM_RECORD (256) iterations. The atombios.h defines up to 22 distinct record types and atomfirmware.h has 13. Assuming an average of less than 10 records per type (which is reasonable since most are connector- based) 256 is a generous upper bound. (cherry picked from commit 95700a3d660287ed657d6892f7be9ffc0e294a93)
Title drm/amd/display: Bound VBIOS record-chain walk loops
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-07-04T11:50:51.199Z

Reserved: 2026-06-09T07:44:35.387Z

Link: CVE-2026-53138

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-53138 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T16:30:03Z

Weaknesses