CVE-2026-53137
Received Received - Intake
Buffer Overflow in AMD Display Driver

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Clamp HDMI HDCP2 rx_id_list read to buffer size [Why & How] During HDCP 2.x repeater authentication over HDMI, the driver reads the sink's RxStatus register and extracts a 10-bit message size field (max value 1023). This value is used as the read length for the ReceiverID list without being clamped to the size of the destination buffer rx_id_list[177]. A malicious HDMI repeater could advertise a message size larger than the buffer, causing an out-of-bounds write during the I2C read. Clamp the read length in mod_hdcp_read_rx_id_list() to the size of the rx_id_list buffer, matching the approach already used in the DP branch. (cherry picked from commit 229212219e4247d9486f8ba41ef087358490be09)
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-53137
EUVD
EUVD-2026-39342
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's AMD display driver related to HDMI HDCP 2.x repeater authentication. During this process, the driver reads a message size field from the sink's RxStatus register and uses this value to determine how much data to read into a buffer called rx_id_list. However, the message size is not properly limited to the buffer's size, allowing a malicious HDMI repeater to specify a size larger than the buffer. This causes an out-of-bounds write during the I2C read operation, potentially leading to memory corruption.

Impact Analysis

The vulnerability can lead to an out-of-bounds write in kernel memory when interacting with a malicious HDMI repeater device. This memory corruption could potentially be exploited to cause system instability, crashes, or even allow an attacker to execute arbitrary code with kernel privileges, compromising the security and stability of the affected system.

Mitigation Strategies

The vulnerability has been resolved by clamping the read length in the mod_hdcp_read_rx_id_list() function to the size of the rx_id_list buffer, preventing out-of-bounds writes during HDMI HDCP2 repeater authentication.

To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes this fix.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53137. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart