CVE-2026-53136 - Vulnerability Details

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Clamp VBIOS HDMI retimer register count to array size [Why & How] The VBIOS integrated info tables (v1_11 and v2_1) contain HdmiRegNum and Hdmi6GRegNum fields that are used as loop bounds when copying retimer I2C register settings into fixed-size arrays (dp*_ext_hdmi_reg_settings[9] and dp*_ext_hdmi_6g_reg_settings[3]). These u8 fields are not validated before use, so a malformed VBIOS can specify values up to 255, causing an out-of-bounds heap write during driver probe. Clamp each register count to the destination array size using min_t() before the copy loops, in both get_integrated_info_v11() and get_integrated_info_v2_1(). (cherry picked from commit 5a7f0ef90195940c54b0f5bb85b87da55f038c69)

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Vendors	Products
Linux	Linux Kernel

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products

References

Link	Providers
https://git.kernel.org/stable/c/029571d51140650783be4fb98fe7cb4754752086
https://git.kernel.org/stable/c/3f32d52ec604c659725d865cf8cc6a17a33f9c6a
https://git.kernel.org/stable/c/4d1c3c26c2ab1842e139e61983395d64bd2e518b
https://git.kernel.org/stable/c/5f8b39452fb16f507c9e4d8b4a83ce27e893307c
https://git.kernel.org/stable/c/8aaa7e317fbd4beb9c6a9f77aa4cf52fae78b117
https://git.kernel.org/stable/c/d6be8e59af412623e3d874be3a048406c0edfe60
https://git.kernel.org/stable/c/fb0707ce00eef4e2d60c3020e1c0432739703e4a

History

Thu, 25 Jun 2026 11:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-122

Thu, 25 Jun 2026 09:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Clamp VBIOS HDMI retimer register count to array size [Why & How] The VBIOS integrated info tables (v1_11 and v2_1) contain HdmiRegNum and Hdmi6GRegNum fields that are used as loop bounds when copying retimer I2C register settings into fixed-size arrays (dp_ext_hdmi_reg_settings[9] and dp_ext_hdmi_6g_reg_settings[3]). These u8 fields are not validated before use, so a malformed VBIOS can specify values up to 255, causing an out-of-bounds heap write during driver probe. Clamp each register count to the destination array size using min_t() before the copy loops, in both get_integrated_info_v11() and get_integrated_info_v2_1(). (cherry picked from commit 5a7f0ef90195940c54b0f5bb85b87da55f038c69)
Title		drm/amd/display: Clamp VBIOS HDMI retimer register count to array size
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/029571d51140650783be4fb98fe7cb4754752086 https://git.kernel.org/stable/c/3f32d52ec604c659725d865cf8cc6a17a33f9c6a https://git.kernel.org/stable/c/4d1c3c26c2ab1842e139e61983395d64bd2e518b https://git.kernel.org/stable/c/5f8b39452fb16f507c9e4d8b4a83ce27e893307c https://git.kernel.org/stable/c/8aaa7e317fbd4beb9c6a9f77aa4cf52fae78b117 https://git.kernel.org/stable/c/d6be8e59af412623e3d874be3a048406c0edfe60 https://git.kernel.org/stable/c/fb0707ce00eef4e2d60c3020e1c0432739703e4a

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-25T08:38:25.097Z

Updated: 2026-06-25T08:38:25.097Z

Reserved: 2026-06-09T07:44:35.387Z

Link: CVE-2026-53136

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-25T11:15:10Z

Metrics

Affected Vendors & Products

Metrics

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object