CVE-2026-53135
Received Received - Intake
NULL Dereference and Buffer Over-Read in AMD Display Driver

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix NULL deref and buffer over-read in SDP debugfs [Why & How] dp_sdp_message_debugfs_write() dereferences connector->base.state->crtc without checking for NULL. A connector can be connected but not bound to any CRTC (e.g. after hot-plug before the next atomic commit), causing a kernel crash when writing to the sdp_message debugfs node. The function also ignores the user-provided size argument and always passes 36 bytes to copy_from_user(), reading past the user buffer when size < 36. Fix both issues by: - Returning -ENODEV when connector->base.state or state->crtc is NULL - Clamping write_size to min(size, sizeof(data)) (cherry picked from commit 6ab4c36a522842ff70474a1c0af2e40e50fc8300)
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-53135
EUVD
EUVD-2026-39340
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's drm/amd/display component. Specifically, the function dp_sdp_message_debugfs_write() dereferences a pointer without checking if it is NULL. This pointer relates to the connector's base state and its associated CRTC (display controller). If a connector is connected but not yet bound to any CRTC, such as after a hot-plug event before the next atomic commit, the kernel will crash when writing to the sdp_message debugfs node.

Additionally, the function ignores the user-provided size argument and always reads 36 bytes from the user buffer, which can cause a buffer over-read if the provided size is less than 36 bytes.

The fix involves returning an error (-ENODEV) when the connector's base state or CRTC is NULL and clamping the write size to the minimum of the user-provided size and the expected data size.

Impact Analysis

This vulnerability can cause the Linux kernel to crash when writing to the sdp_message debugfs node under certain conditions, such as when a display connector is connected but not yet bound to a display controller. This can lead to system instability or denial of service due to kernel crashes.

Furthermore, the buffer over-read issue could potentially lead to reading unintended memory areas, which might cause unpredictable behavior or security risks, although no specific exploit details are provided.

Mitigation Strategies

The vulnerability has been resolved by fixing the Linux kernel code to prevent NULL pointer dereference and buffer over-read in the drm/amd/display SDP debugfs interface.

Immediate mitigation steps include updating your Linux kernel to a version that includes the fix for this vulnerability.

  • Apply the patch that returns -ENODEV when connector->base.state or state->crtc is NULL.
  • Ensure the kernel clamps the write size to the minimum of the user-provided size and the expected data size to prevent buffer over-read.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53135. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart