Bug 2492768 (CVE-2026-53136) - CVE-2026-53136 kernel: drm/amd/display: Clamp VBIOS HDMI retimer register count to array size
Summary: CVE-2026-53136 kernel: drm/amd/display: Clamp VBIOS HDMI retimer register cou...
Keywords:
Status: NEW
Alias: CVE-2026-53136
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-25 10:04 UTC by OSIDB Bzimport
Modified: 2026-06-25 23:43 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-25 10:04:43 UTC
In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Clamp VBIOS HDMI retimer register count to array size

[Why & How]
The VBIOS integrated info tables (v1_11 and v2_1) contain HdmiRegNum and
Hdmi6GRegNum fields that are used as loop bounds when copying retimer I2C
register settings into fixed-size arrays (dp*_ext_hdmi_reg_settings[9]
and dp*_ext_hdmi_6g_reg_settings[3]). These u8 fields are not validated
before use, so a malformed VBIOS can specify values up to 255, causing an
out-of-bounds heap write during driver probe.

Clamp each register count to the destination array size using min_t()
before the copy loops, in both get_integrated_info_v11() and
get_integrated_info_v2_1().

(cherry picked from commit 5a7f0ef90195940c54b0f5bb85b87da55f038c69)


Note You need to log in before you can comment on or make changes to this bug.