CVE-2026-53058
Received Received - Intake
NULL Pointer Dereference in Linux Kernel DRM Bridge

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: drm/bridge: cadence: cdns-mhdp8546-core: Set the mhdp connector earlier in atomic_enable() In case if we get errors in cdns_mhdp_link_up() or cdns_mhdp_reg_read() in atomic_enable, we will go to cdns_mhdp_modeset_retry_fn() and will hit NULL pointer while trying to access the mutex. We need the connector to be set before that. Unlike in legacy cases with flag !DRM_BRIDGE_ATTACH_NO_CONNECTOR, we do not have connector initialised in bridge_attach(), so add the mhdp->connector_ptr in device structure to handle both cases with DRM_BRIDGE_ATTACH_NO_CONNECTOR and !DRM_BRIDGE_ATTACH_NO_CONNECTOR, set it in atomic_enable() earlier to avoid possible NULL pointer dereference in recovery paths like modeset_retry_fn() with the DRM_BRIDGE_ATTACH_NO_CONNECTOR flag set.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-53058
EUVD
EUVD-2026-38926
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
cadence cdns_mhdp8546_core *
cadence cdns-mhdp8546-core *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can cause the Linux kernel to dereference a NULL pointer during certain error recovery paths in the cadence cdns-mhdp8546-core driver. This can lead to kernel crashes or system instability, potentially causing denial of service or unexpected behavior in systems using this driver.

Executive Summary

This vulnerability exists in the Linux kernel's drm/bridge component, specifically in the cadence cdns-mhdp8546-core driver. The issue arises because the mhdp connector is not set early enough in the atomic_enable() function. If errors occur in the functions cdns_mhdp_link_up() or cdns_mhdp_reg_read() during atomic_enable, the code attempts to recover by calling cdns_mhdp_modeset_retry_fn(). However, at this point, it tries to access a mutex through a NULL pointer because the connector was not initialized beforehand. This leads to a NULL pointer dereference.

The fix involves setting the mhdp connector earlier in atomic_enable() to ensure it is initialized before any recovery paths that might access it, preventing the NULL pointer dereference.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53058. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart