CVE-2026-53329
Low risk· EPSS 9%Exploitation Probability (EPSS)
Low risk9th percentile — higher than 9% of all known CVEs
Summary
In the Linux kernel, the AMD Display driver's dal_vector_reserve() function uses uint32_t arithmetic for allocation size calculation, which can silently wrap to a small value on overflow. This leads to a smaller buffer being allocated via krealloc(), causing heap overflows on subsequent vector appends.
Risk Assessment
An attacker could exploit this vulnerability to trigger a heap overflow, potentially causing system crashes or privilege escalation in environments using the AMD Display driver.
Recommendation
Immediately update the Linux kernel to a version containing the fix (commit 37668568641ccc4cc1dbca4923d0a16609dd5707) or later, which replaces krealloc() with krealloc_array() including overflow checking.
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Use krealloc_array() in dal_vector_reserve() [Why & How] dal_vector_reserve() computes the allocation size as "capacity * vector->struct_size" using uint32_t arithmetic, which can silently wrap to a small value on overflow. This would cause krealloc to return a smaller buffer than expected, leading to heap overflows on subsequent vector appends. Replace krealloc() with krealloc_array() which performs an internal overflow check and returns NULL on wrap, preventing the issue. (cherry picked from commit 37668568641ccc4cc1dbca4923d0a16609dd5707)

