CVE-2026-46263
Received Received - Intake
Bounds Check Bypass in AMD Display Core Driver

Publication date: 2026-06-03

Last updated on: 2026-06-03

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix out-of-bounds stream encoder index v3 eng_id can be negative and that stream_enc_regs[] can be indexed out of bounds. eng_id is used directly as an index into stream_enc_regs[], which has only 5 entries. When eng_id is 5 (ENGINE_ID_DIGF) or negative, this can access memory past the end of the array. Add a bounds check using ARRAY_SIZE() before using eng_id as an index. The unsigned cast also rejects negative values. This avoids out-of-bounds access. Fixes the below smatch error: dcn*_resource.c: stream_encoder_create() may index stream_enc_regs[eng_id] out of bounds (size 5). drivers/gpu/drm/amd/amdgpu/../display/dc/resource/dcn351/dcn351_resource.c 1246 static struct stream_encoder *dcn35_stream_encoder_create( 1247 enum engine_id eng_id, 1248 struct dc_context *ctx) 1249 { ... 1255 1256 /* Mapping of VPG, AFMT, DME register blocks to DIO block instance */ 1257 if (eng_id <= ENGINE_ID_DIGF) { ENGINE_ID_DIGF is 5. should <= be <? Unrelated but, ugh, why is Smatch saying that "eng_id" can be negative? end_id is type signed long, but there are checks in the caller which prevent it from being negative. 1258 vpg_inst = eng_id; 1259 afmt_inst = eng_id; 1260 } else 1261 return NULL; 1262 ... 1281 1282 dcn35_dio_stream_encoder_construct(enc1, ctx, ctx->dc_bios, 1283 eng_id, vpg, afmt, --> 1284 &stream_enc_regs[eng_id], ^^^^^^^^^^^^^^^^^^^^^^^ This stream_enc_regs[] array has 5 elements so we are one element beyond the end of the array. ... 1287 return &enc1->base; 1288 } v2: use explicit bounds check as suggested by Roman/Dan; avoid unsigned int cast v3: The compiler already knows how to compare the two values, so the cast (int) is not needed. (Roman)
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-03
Last Modified
2026-06-03
Generated
2026-06-04
AI Q&A
2026-06-03
EPSS Evaluated
N/A
NVD
CVE-2026-46263
EUVD
EUVD-2026-34125
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
amd linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The provided information does not include any details about the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.


Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's AMD display driver code, specifically in the drm/amd/display component. The issue arises because the variable eng_id, which can be negative or equal to 5, is used directly as an index into the stream_enc_regs[] array that only has 5 elements (indexed 0 to 4). When eng_id is 5 or negative, it causes an out-of-bounds access, potentially leading to memory corruption or unexpected behavior.

The fix involves adding a bounds check using ARRAY_SIZE() to ensure eng_id is within valid limits before it is used as an index. Additionally, casting to unsigned rejects negative values, preventing invalid indexing.


How can this vulnerability impact me? :

Out-of-bounds memory access vulnerabilities like this can lead to memory corruption, crashes, or potentially allow an attacker to execute arbitrary code or cause denial of service. In this case, if the Linux kernel's AMD display driver accesses memory beyond the intended array bounds, it could destabilize the system or be exploited by malicious actors.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is fixed by adding a bounds check before using the eng_id as an index into the stream_enc_regs[] array in the Linux kernel's AMD GPU display driver code.

Immediate mitigation steps include updating the Linux kernel to a version that includes this fix, which ensures that eng_id is properly checked against the array size to prevent out-of-bounds access.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart