CVE-2026-53138
Received Received - Intake
AMD Display Driver VBIOS Record Loop Bounds Issue

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Bound VBIOS record-chain walk loops [Why & How] All record-chain walk loops in bios_parser.c and bios_parser2.c use for(;;) and only terminate on a 0xFF record_type sentinel or zero record_size. A malformed VBIOS image missing the terminator record causes unbounded iteration at probe time, potentially hundreds of thousands of iterations with record_size=1. In the final iterations near the BIOS image boundary, struct casts beyond the 2-byte header validated by GET_IMAGE can also read out of bounds. Cap all 14 record-chain walk loops to BIOS_MAX_NUM_RECORD (256) iterations. The atombios.h defines up to 22 distinct record types and atomfirmware.h has 13. Assuming an average of less than 10 records per type (which is reasonable since most are connector- based) 256 is a generous upper bound. (cherry picked from commit 95700a3d660287ed657d6892f7be9ffc0e294a93)
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-53138
EUVD
EUVD-2026-39343
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's AMD display driver, specifically in the handling of VBIOS record-chain walk loops within bios_parser.c and bios_parser2.c.

The loops use an infinite for(;;) structure that only terminates when encountering a specific sentinel value (0xFF record_type) or a zero record_size. If a malformed VBIOS image lacks this terminator record, the loop can iterate indefinitely, potentially hundreds of thousands of times with a record_size of 1.

During these excessive iterations, especially near the BIOS image boundary, the code may perform out-of-bounds reads due to struct casts beyond the validated 2-byte header.

The fix caps all 14 record-chain walk loops to a maximum of 256 iterations (BIOS_MAX_NUM_RECORD) to prevent unbounded iteration.

Impact Analysis

This vulnerability can cause the Linux kernel to perform unbounded iterations when parsing a malformed VBIOS image, potentially leading to excessive CPU usage or system instability during probe time.

Additionally, out-of-bounds reads near the BIOS image boundary could lead to undefined behavior, which might be exploitable for information disclosure or other security issues.

Mitigation Strategies

The vulnerability has been resolved by capping all 14 record-chain walk loops in the Linux kernel's drm/amd/display code to a maximum of 256 iterations to prevent unbounded iteration caused by malformed VBIOS images.

To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes the fix (commit 95700a3d660287ed657d6892f7be9ffc0e294a93) which implements this cap.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53138. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart