CVE Catalog

CVE-2026-53136

HighCVSS 7.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.17%

7th percentile - higher than 7% of all known CVEs

Summary

In the Linux kernel drm/amd/display driver, a vulnerability was found due to missing validation of HdmiRegNum and Hdmi6GRegNum fields in VBIOS tables. A malformed VBIOS can set these values up to 255, causing an out-of-bounds heap write during driver initialization.

Risk Assessment

An attacker with VBIOS modification capabilities (e.g., via malware or physical access) could cause kernel memory corruption, leading to system crashes or potential privilege escalation.

Recommendation

Immediately update the Linux kernel to a version containing commit 5a7f0ef90195940c54b0f5bb85b87da55f038c69 or later. Apply the security patch from your distributor for production systems.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Clamp VBIOS HDMI retimer register count to array size [Why & How] The VBIOS integrated info tables (v1_11 and v2_1) contain HdmiRegNum and Hdmi6GRegNum fields that are used as loop bounds when copying retimer I2C register settings into fixed-size arrays (dp*_ext_hdmi_reg_settings[9] and dp*_ext_hdmi_6g_reg_settings[3]). These u8 fields are not validated before use, so a malformed VBIOS can specify values up to 255, causing an out-of-bounds heap write during driver probe. Clamp each register count to the destination array size using min_t() before the copy loops, in both get_integrated_info_v11() and get_integrated_info_v2_1(). (cherry picked from commit 5a7f0ef90195940c54b0f5bb85b87da55f038c69)

Vulnerability data from NVD (NIST) · CISA KEV · EPSS