Description
In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Use krealloc_array() in dal_vector_reserve()

[Why & How]
dal_vector_reserve() computes the allocation size as
"capacity * vector->struct_size" using uint32_t arithmetic, which can
silently wrap to a small value on overflow. This would cause krealloc to
return a smaller buffer than expected, leading to heap overflows on
subsequent vector appends.

Replace krealloc() with krealloc_array() which performs an internal
overflow check and returns NULL on wrap, preventing the issue.

(cherry picked from commit 37668568641ccc4cc1dbca4923d0a16609dd5707)
Published: 2026-07-01
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw lies in the Linux kernel's AMD display driver where dal_vector_reserve() calculates the buffer size with 32‑bit arithmetic. On an overflow the computed size wraps, causing krealloc() to return a smaller buffer than required, so subsequent vector appends can write beyond the allocated memory and corrupt the heap. The driver was updated to use krealloc_array(), which detects integer overflow and returns NULL to avoid the bug. The vulnerability maps to CWE‑122 (heap buffer overflow) and CWE‑680 (integer overflow).

Affected Systems

All Linux systems that ship with the unpatched AMDGPU display driver are affected. The affected kernel releases include any version that contains the original dal_vector_reserve() implementation before the commit that replaces it with krealloc_array(). Distributions that rely on the generic Linux kernel without applying this patch are therefore vulnerable.

Risk and Exploitability

No CVSS or EPSS rating has been published and the flaw is not listed in the CISA KEV catalog, yet the potential for kernel‑space heap corruption indicates a moderate to high risk. An attacker would need a local or privileged execution context to trigger the vulnerable vector append, such as by injecting malicious firmware or by exploiting existing driver functionality. Successful exploitation could allow arbitrary kernel memory writes, leading to privilege escalation or denial of service. The precise remediation or attack vector is not detailed, so this vulnerability should be treated as a local kernel privilege escalation risk.

Generated by OpenCVE AI on July 1, 2026 at 23:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that contains commit 37668568641ccc4cc1dbca4923d0a16609dd5707, which replaces krealloc() with krealloc_array() in dal_vector_reserve().
  • Disable or unload the AMDGPU display driver if an update cannot be applied immediately, eliminating the vulnerable code path.
  • Monitor system logs and GPU activity for signs of attempted exploitation and enforce stringent access controls around GPU interaction.

Generated by OpenCVE AI on July 1, 2026 at 23:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Jul 2026 00:15:00 +0000


Wed, 01 Jul 2026 23:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-122
CWE-680

Wed, 01 Jul 2026 17:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-122
CWE-680

Wed, 01 Jul 2026 13:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Use krealloc_array() in dal_vector_reserve() [Why & How] dal_vector_reserve() computes the allocation size as "capacity * vector->struct_size" using uint32_t arithmetic, which can silently wrap to a small value on overflow. This would cause krealloc to return a smaller buffer than expected, leading to heap overflows on subsequent vector appends. Replace krealloc() with krealloc_array() which performs an internal overflow check and returns NULL on wrap, preventing the issue. (cherry picked from commit 37668568641ccc4cc1dbca4923d0a16609dd5707)
Title drm/amd/display: Use krealloc_array() in dal_vector_reserve()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-07-01T13:32:14.598Z

Reserved: 2026-06-09T07:44:35.398Z

Link: CVE-2026-53329

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity :

Publid Date: 2026-07-01T00:00:00Z

Links: CVE-2026-53329 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T23:30:17Z

Weaknesses