CVE-2026-53136
HighCVSS 7.8Exploitation Probability (EPSS)
Low risk7th percentile - higher than 7% of all known CVEs
Summary
In the Linux kernel drm/amd/display driver, a vulnerability was found due to missing validation of HdmiRegNum and Hdmi6GRegNum fields in VBIOS tables. A malformed VBIOS can set these values up to 255, causing an out-of-bounds heap write during driver initialization.
Risk Assessment
An attacker with VBIOS modification capabilities (e.g., via malware or physical access) could cause kernel memory corruption, leading to system crashes or potential privilege escalation.
Recommendation
Immediately update the Linux kernel to a version containing commit 5a7f0ef90195940c54b0f5bb85b87da55f038c69 or later. Apply the security patch from your distributor for production systems.
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Clamp VBIOS HDMI retimer register count to array size [Why & How] The VBIOS integrated info tables (v1_11 and v2_1) contain HdmiRegNum and Hdmi6GRegNum fields that are used as loop bounds when copying retimer I2C register settings into fixed-size arrays (dp*_ext_hdmi_reg_settings[9] and dp*_ext_hdmi_6g_reg_settings[3]). These u8 fields are not validated before use, so a malformed VBIOS can specify values up to 255, causing an out-of-bounds heap write during driver probe. Clamp each register count to the destination array size using min_t() before the copy loops, in both get_integrated_info_v11() and get_integrated_info_v2_1(). (cherry picked from commit 5a7f0ef90195940c54b0f5bb85b87da55f038c69)

