CVE-2026-53136
Received Received - Intake
AMD Display Driver Heap Overflow via VBIOS Register Count

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Clamp VBIOS HDMI retimer register count to array size [Why & How] The VBIOS integrated info tables (v1_11 and v2_1) contain HdmiRegNum and Hdmi6GRegNum fields that are used as loop bounds when copying retimer I2C register settings into fixed-size arrays (dp*_ext_hdmi_reg_settings[9] and dp*_ext_hdmi_6g_reg_settings[3]). These u8 fields are not validated before use, so a malformed VBIOS can specify values up to 255, causing an out-of-bounds heap write during driver probe. Clamp each register count to the destination array size using min_t() before the copy loops, in both get_integrated_info_v11() and get_integrated_info_v2_1(). (cherry picked from commit 5a7f0ef90195940c54b0f5bb85b87da55f038c69)
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-53136
EUVD
EUVD-2026-39341
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's AMD display driver related to handling VBIOS HDMI retimer register counts.

The VBIOS integrated info tables contain fields (HdmiRegNum and Hdmi6GRegNum) that specify how many I2C register settings to copy into fixed-size arrays.

These fields are not validated before use, so a malformed VBIOS can specify very large values (up to 255), which leads to out-of-bounds heap writes during the driver's probe phase.

The fix clamps these register counts to the size of the destination arrays before copying, preventing the out-of-bounds write.

Impact Analysis

This vulnerability can cause out-of-bounds heap writes in the Linux kernel's AMD display driver.

Such memory corruption can potentially lead to system instability, crashes, or could be exploited to execute arbitrary code with kernel privileges.

The impact depends on whether an attacker can supply a malformed VBIOS to trigger this condition during driver initialization.

Mitigation Strategies

The vulnerability is resolved by clamping the VBIOS HDMI retimer register counts to the size of the destination arrays to prevent out-of-bounds heap writes.

Immediate mitigation steps include updating the Linux kernel to a version that contains the fix, which applies min_t() to clamp the HdmiRegNum and Hdmi6GRegNum fields before use.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53136. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart