CVE Catalog

CVE-2026-53135

MediumCVSS 5.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.18%

7th percentile — higher than 7% of all known CVEs

Summary

In the Linux kernel, the AMD Display driver has a vulnerability involving NULL pointer dereference and buffer over-read in the dp_sdp_message_debugfs_write() function. The issue occurs when a connector is connected but not bound to a CRTC (e.g., after hot-plug before atomic commit), causing a kernel crash. Additionally, the function ignores the user-provided size and always copies 36 bytes, potentially reading past the user buffer.

Risk Assessment

A local attacker can trigger a kernel crash by writing to the sdp_message debugfs node, leading to denial of service (DoS). In extreme cases, it may result in kernel memory disclosure.

Recommendation

Immediately update the Linux kernel to a version containing the fix (commit 6ab4c36a5228). If updating is not possible, restrict access to debugfs nodes for unprivileged users.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix NULL deref and buffer over-read in SDP debugfs [Why & How] dp_sdp_message_debugfs_write() dereferences connector->base.state->crtc without checking for NULL. A connector can be connected but not bound to any CRTC (e.g. after hot-plug before the next atomic commit), causing a kernel crash when writing to the sdp_message debugfs node. The function also ignores the user-provided size argument and always passes 36 bytes to copy_from_user(), reading past the user buffer when size < 36. Fix both issues by: - Returning -ENODEV when connector->base.state or state->crtc is NULL - Clamping write_size to min(size, sizeof(data)) (cherry picked from commit 6ab4c36a522842ff70474a1c0af2e40e50fc8300)

Vulnerability data from NVD (NIST) · CISA KEV · EPSS