CVE-2026-53285 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Wrap DCN32 phantom-plane allocation in DC_RUN_WITH_PREEMPTION_ENABLED

[Why]
dcn32_validate_bandwidth() wraps dcn32_internal_validate_bw() with
DC_FP_START()/DC_FP_END(). In x86 non-RT, DC_FP_START takes fpregs_lock(),
which disables local softirqs.

The DML1 path through dcn32_enable_phantom_plane() calls kvzalloc() to
allocate ~335 KiB for dc_plane_state. This triggers the vmalloc path,
which calls BUG_ON(in_interrupt()) because it's invoked within the
FPU-enabled (softirq disabled) region, leading to a kernel crash.

[How]
Wrap the dc_state_create_phantom_plane() call with the
DC_RUN_WITH_PREEMPTION_ENABLED() macro to allow preemption during
this memory allocation.

(cherry picked from commit 885ccbef7b94a8b38f69c4211c679021aa27ad11)

Published: 2026-06-26

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability arises when the AMD DRM driver attempts to allocate memory for a phantom plane while the FPU is disabled and softirqs are turned off. Because the vmalloc implementation contains a BUG_ON that asserts the current context must not be an interrupt, the kernel panics and crashes, producing an immediate denial of service. The flaw originates from a misuse of kernel APIs that violate a preemption and interrupt context invariant, characteristic of CWE‑391.

Affected Systems

All Linux systems using an x86, non‑RT kernel version that lacks the commit adding DC_RUN_WITH_PREEMPTION_ENABLED to the dcn32_enable_phantom_plane path are affected. This includes any distribution that bundles the AMD display driver code for DML1 before the patch commit 885ccbef7b94a8b38f69c4211c679021aa27ad11.

Risk and Exploitability

Exploit requires triggering the phantom‑plane allocation path, which typically occurs when a display device is connected or driver interfaces are exercised. The crash is deterministic and the attacker needs local, privileged execution or access to the graphics subsystem. The EPSS score is unavailable and the vulnerability is not listed in CISA KEV, indicating no known exploitation in the wild. Thus, the risk is moderate to high for systems that expose the graphics subsystem to untrusted users, but lower for strictly isolated, hardened environments.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`235c67634230b0f9ad8c0185272fed36c892b1c4`	affected	< 30bb2ec6695d62f63db4aa6179c4626834ed0cd6
`235c67634230b0f9ad8c0185272fed36c892b1c4`	affected	< 183182235f6d53bac62c6c39014738a54a68dfa6

Linux

affected

Version	Status	Constraints
`6.0`	affected	—
`0`	unaffected	< 6.0
`7.0.10`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Install a Linux kernel that includes commit 885ccbef7b94a8b38f69c4211c679021aa27ad11 or a later release that wraps the allocation with DC_RUN_WITH_PREEMPTION_ENABLED and removes the BUG_ON.
Reboot the system to load the updated kernel and ensure the new driver code is active.
If an immediate kernel upgrade cannot be performed, temporarily disable the AMD DRM driver (e.g., blacklist the amdgpu or drm module) or avoid connecting display hardware that triggers the phantom‑plane path until the patch is applied.

Generated by OpenCVE AI on June 26, 2026 at 22:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/183182235f6d53bac62c6c39014738a54a68dfa6
https://git.kernel.org/stable/c/30bb2ec6695d62f63db4aa6179c4626834ed0cd6

History

Fri, 26 Jun 2026 23:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-391

Fri, 26 Jun 2026 20:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Wrap DCN32 phantom-plane allocation in DC_RUN_WITH_PREEMPTION_ENABLED [Why] dcn32_validate_bandwidth() wraps dcn32_internal_validate_bw() with DC_FP_START()/DC_FP_END(). In x86 non-RT, DC_FP_START takes fpregs_lock(), which disables local softirqs. The DML1 path through dcn32_enable_phantom_plane() calls kvzalloc() to allocate ~335 KiB for dc_plane_state. This triggers the vmalloc path, which calls BUG_ON(in_interrupt()) because it's invoked within the FPU-enabled (softirq disabled) region, leading to a kernel crash. [How] Wrap the dc_state_create_phantom_plane() call with the DC_RUN_WITH_PREEMPTION_ENABLED() macro to allow preemption during this memory allocation. (cherry picked from commit 885ccbef7b94a8b38f69c4211c679021aa27ad11)
Title		drm/amd/display: Wrap DCN32 phantom-plane allocation in DC_RUN_WITH_PREEMPTION_ENABLED
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/183182235f6d53bac62c6c39014738a54a68dfa6 https://git.kernel.org/stable/c/30bb2ec6695d62f63db4aa6179c4626834ed0cd6

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-26T19:40:46.328Z

Updated: 2026-06-26T19:40:46.328Z

Reserved: 2026-06-09T07:44:35.396Z

Link: CVE-2026-53285

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-26T22:45:05Z

Weaknesses

CWE-391
Unchecked Error Condition

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object