CVE-2025-71305
Awaiting Analysis Awaiting Analysis - Queue
Buffer Overflow in Linux Kernel DRM DP MST

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: drm/display/dp_mst: Add protection against 0 vcpi When releasing a timeslot there is a slight chance we may end up with the wrong payload mask due to overflow if the delayed_destroy_work ends up coming into play after a DP 2.1 monitor gets disconnected which causes vcpi to become 0 then we try to make the payload = ~BIT(vcpi - 1) which is a negative shift. VCPI id should never really be 0 hence skip changing the payload mask if VCPI is 0. Otherwise it leads to <7> [515.287237] xe 0000:03:00.0: [drm:drm_dp_mst_get_port_malloc [drm_display_helper]] port ffff888126ce9000 (3) <4> [515.287267] -----------[ cut here ]----------- <3> [515.287268] UBSAN: shift-out-of-bounds in ../drivers/gpu/drm/display/drm_dp_mst_topology.c:4575:36 <3> [515.287271] shift exponent -1 is negative <4> [515.287275] CPU: 7 UID: 0 PID: 3108 Comm: kworker/u64:33 Tainted: G S U 6.17.0-rc6-lgci-xe-xe-3795-3e79699fa1b216e92+ #1 PREEMPT(voluntary) <4> [515.287279] Tainted: [S]=CPU_OUT_OF_SPEC, [U]=USER <4> [515.287279] Hardware name: ASUS System Product Name/PRIME Z790-P WIFI, BIOS 1645 03/15/2024 <4> [515.287281] Workqueue: drm_dp_mst_wq drm_dp_delayed_destroy_work [drm_display_helper] <4> [515.287303] Call Trace: <4> [515.287304] <TASK> <4> [515.287306] dump_stack_lvl+0xc1/0xf0 <4> [515.287313] dump_stack+0x10/0x20 <4> [515.287316] __ubsan_handle_shift_out_of_bounds+0x133/0x2e0 <4> [515.287324] ? drm_atomic_get_private_obj_state+0x186/0x1d0 <4> [515.287333] drm_dp_atomic_release_time_slots.cold+0x17/0x3d [drm_display_helper] <4> [515.287355] mst_connector_atomic_check+0x159/0x180 [xe] <4> [515.287546] drm_atomic_helper_check_modeset+0x4d9/0xfa0 <4> [515.287550] ? __ww_mutex_lock.constprop.0+0x6f/0x1a60 <4> [515.287562] intel_atomic_check+0x119/0x2b80 [xe] <4> [515.287740] ? find_held_lock+0x31/0x90 <4> [515.287747] ? lock_release+0xce/0x2a0 <4> [515.287754] drm_atomic_check_only+0x6a2/0xb40 <4> [515.287758] ? drm_atomic_add_affected_connectors+0x12b/0x140 <4> [515.287765] drm_atomic_commit+0x6e/0xf0 <4> [515.287766] ? _pfx__drm_printfn_info+0x10/0x10 <4> [515.287774] drm_client_modeset_commit_atomic+0x25c/0x2b0 <4> [515.287794] drm_client_modeset_commit_locked+0x60/0x1b0 <4> [515.287795] ? mutex_lock_nested+0x1b/0x30 <4> [515.287801] drm_client_modeset_commit+0x26/0x50 <4> [515.287804] __drm_fb_helper_restore_fbdev_mode_unlocked+0xdc/0x110 <4> [515.287810] drm_fb_helper_hotplug_event+0x120/0x140 <4> [515.287814] drm_fbdev_client_hotplug+0x28/0xd0 <4> [515.287819] drm_client_hotplug+0x6c/0xf0 <4> [515.287824] drm_client_dev_hotplug+0x9e/0xd0 <4> [515.287829] drm_kms_helper_hotplug_event+0x1a/0x30 <4> [515.287834] drm_dp_delayed_destroy_work+0x3df/0x410 [drm_display_helper] <4> [515.287861] process_one_work+0x22b/0x6f0 <4> [515.287874] worker_thread+0x1e8/0x3d0 <4> [515.287879] ? __pfx_worker_thread+0x10/0x10 <4> [515.287882] kthread+0x11c/0x250 <4> [515.287886] ? __pfx_kthread+0x10/0x10 <4> [515.287890] ret_from_fork+0x2d7/0x310 <4> [515.287894] ? __pfx_kthread+0x10/0x10 <4> [515.287897] ret_from_fork_asm+0x1a/0x30
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2025-71305
EUVD
EUVD-2025-209969
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel 6.17.0-rc6-lgci-xe-xe-3795-3e79699fa1b216e92+*
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's DRM (Direct Rendering Manager) display subsystem, specifically in the handling of DisplayPort Multi-Stream Transport (DP MST). It occurs when releasing a timeslot, where due to a timing issue involving delayed work destruction after a DP 2.1 monitor disconnects, the VCPI (Virtual Channel Payload Identifier) can become zero. Since VCPI should never be zero, the code attempts a bit shift operation with a negative exponent, causing a shift-out-of-bounds error and potential kernel instability or crash.

The issue arises because the payload mask calculation uses the expression ~BIT(vcpi - 1), which becomes invalid if vcpi is zero, leading to a negative shift. The fix involves skipping the payload mask change if VCPI is zero to prevent this error.

Impact Analysis

This vulnerability can lead to kernel instability or crashes when a DP 2.1 monitor is disconnected under certain timing conditions. The resulting shift-out-of-bounds error can cause the Linux kernel's DRM subsystem to malfunction, potentially leading to system crashes or denial of service.

Detection Guidance

This vulnerability manifests as a kernel error related to an out-of-bounds shift operation in the drm_dp_mst_topology.c driver code. Detection involves monitoring the system kernel logs for specific error messages.

  • Check kernel logs for messages containing 'UBSAN: shift-out-of-bounds' or 'shift exponent -1 is negative'.
  • Use the command: sudo dmesg | grep -i 'UBSAN: shift-out-of-bounds'
  • Alternatively, monitor system logs with: sudo journalctl -k | grep drm_dp_mst

These commands help identify if the kernel has logged the specific error related to this vulnerability.

Mitigation Strategies

The vulnerability has been resolved by adding protection against a zero VCPI value in the Linux kernel drm/display/dp_mst driver.

Immediate mitigation steps include updating the Linux kernel to a version that contains the fix for this vulnerability.

  • Apply the latest kernel updates from your Linux distribution that include the patch for drm/display/dp_mst.
  • If updating the kernel is not immediately possible, consider disabling DisplayPort Multi-Stream Transport (DP MST) functionality if it is not required.

Monitoring kernel logs for the error can also help in early detection until the patch is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-71305. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart