CVE-2026-46263
Analyzed Analyzed - Analysis Complete
Bounds Check Bypass in AMD Display Core Driver

Publication date: 2026-06-03

Last updated on: 2026-06-09

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix out-of-bounds stream encoder index v3 eng_id can be negative and that stream_enc_regs[] can be indexed out of bounds. eng_id is used directly as an index into stream_enc_regs[], which has only 5 entries. When eng_id is 5 (ENGINE_ID_DIGF) or negative, this can access memory past the end of the array. Add a bounds check using ARRAY_SIZE() before using eng_id as an index. The unsigned cast also rejects negative values. This avoids out-of-bounds access. Fixes the below smatch error: dcn*_resource.c: stream_encoder_create() may index stream_enc_regs[eng_id] out of bounds (size 5). drivers/gpu/drm/amd/amdgpu/../display/dc/resource/dcn351/dcn351_resource.c 1246 static struct stream_encoder *dcn35_stream_encoder_create( 1247 enum engine_id eng_id, 1248 struct dc_context *ctx) 1249 { ... 1255 1256 /* Mapping of VPG, AFMT, DME register blocks to DIO block instance */ 1257 if (eng_id <= ENGINE_ID_DIGF) { ENGINE_ID_DIGF is 5. should <= be <? Unrelated but, ugh, why is Smatch saying that "eng_id" can be negative? end_id is type signed long, but there are checks in the caller which prevent it from being negative. 1258 vpg_inst = eng_id; 1259 afmt_inst = eng_id; 1260 } else 1261 return NULL; 1262 ... 1281 1282 dcn35_dio_stream_encoder_construct(enc1, ctx, ctx->dc_bios, 1283 eng_id, vpg, afmt, --> 1284 &stream_enc_regs[eng_id], ^^^^^^^^^^^^^^^^^^^^^^^ This stream_enc_regs[] array has 5 elements so we are one element beyond the end of the array. ... 1287 return &enc1->base; 1288 } v2: use explicit bounds check as suggested by Roman/Dan; avoid unsigned int cast v3: The compiler already knows how to compare the two values, so the cast (int) is not needed. (Roman)
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-03
Last Modified
2026-06-09
Generated
2026-06-16
AI Q&A
2026-06-03
EPSS Evaluated
2026-06-14
NVD
CVE-2026-46263
EUVD
EUVD-2026-34125
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.13 (inc) to 6.18.14 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.4 (exc)
linux linux_kernel From 6.9 (inc) to 6.12.75 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's AMD display driver code, specifically in the drm/amd/display component. The issue arises because the variable eng_id, which can be negative or equal to 5, is used directly as an index into the stream_enc_regs[] array that only has 5 elements (indexed 0 to 4). When eng_id is 5 or negative, it causes an out-of-bounds access, potentially leading to memory corruption or unexpected behavior.

The fix involves adding a bounds check using ARRAY_SIZE() to ensure eng_id is within valid limits before it is used as an index. Additionally, casting to unsigned rejects negative values, preventing invalid indexing.

Impact Analysis

Out-of-bounds memory access vulnerabilities like this can lead to memory corruption, crashes, or potentially allow an attacker to execute arbitrary code or cause denial of service. In this case, if the Linux kernel's AMD display driver accesses memory beyond the intended array bounds, it could destabilize the system or be exploited by malicious actors.

Mitigation Strategies

The vulnerability is fixed by adding a bounds check before using the eng_id as an index into the stream_enc_regs[] array in the Linux kernel's AMD GPU display driver code.

Immediate mitigation steps include updating the Linux kernel to a version that includes this fix, which ensures that eng_id is properly checked against the array size to prevent out-of-bounds access.

Compliance Impact

The provided information does not include any details about the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46263. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart