drm/amd/display: Fix NULL deref and buffer over-read in SDP debugfs

Summary

CVE	CVE-2026-53135
State	PUBLISHED
Assigner	Linux
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-06-25 09:16:30 UTC
Updated	2026-06-25 09:16:30 UTC
Description	In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix NULL deref and buffer over-read in SDP debugfs [Why & How] dp_sdp_message_debugfs_write() dereferences connector->base.state->crtc without checking for NULL. A connector can be connected but not bound to any CRTC (e.g. after hot-plug before the next atomic commit), causing a kernel crash when writing to the sdp_message debugfs node. The function also ignores the user-provided size argument and always passes 36 bytes to copy_from_user(), reading past the user buffer when size < 36. Fix both issues by: - Returning -ENODEV when connector->base.state or state->crtc is NULL - Clamping write_size to min(size, sizeof(data)) (cherry picked from commit 6ab4c36a522842ff70474a1c0af2e40e50fc8300)

Risk And Classification

EPSS: 0.001760000 probability, percentile 0.073860000 (date 2026-06-26)

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Linux	Linux	affected c7ba3653e9773256b2b08508a2ed2ca28ea7566b ee9cfcf77a8e8af637396dc00966df5f701e661c git	Not specified
CNA	Linux	Linux	affected c7ba3653e9773256b2b08508a2ed2ca28ea7566b b781f90a9528555c709e59789550893581ef0be4 git	Not specified
CNA	Linux	Linux	affected c7ba3653e9773256b2b08508a2ed2ca28ea7566b a2de1d71891a038a9346b2c1a72b88c8350f2479 git	Not specified
CNA	Linux	Linux	affected c7ba3653e9773256b2b08508a2ed2ca28ea7566b 7fc4fab4acc307ad2903312c195872b2953d32c3 git	Not specified
CNA	Linux	Linux	affected c7ba3653e9773256b2b08508a2ed2ca28ea7566b 7ae95c0275c330b5dbae806f8e431720edad776f git	Not specified
CNA	Linux	Linux	affected c7ba3653e9773256b2b08508a2ed2ca28ea7566b bb6f705b73b5f191f14ad004e2c8c4b615806187 git	Not specified
CNA	Linux	Linux	affected c7ba3653e9773256b2b08508a2ed2ca28ea7566b c90954cdea4d6998ec345de0d840d030c145b89e git	Not specified
CNA	Linux	Linux	affected c7ba3653e9773256b2b08508a2ed2ca28ea7566b adf67034b1f61f7119295208085bfd43f85f56af git	Not specified
CNA	Linux	Linux	affected 5.2	Not specified
CNA	Linux	Linux	unaffected 5.2 semver	Not specified
CNA	Linux	Linux	unaffected 5.10.259 5.10.* semver	Not specified
CNA	Linux	Linux	unaffected 5.15.210 5.15.* semver	Not specified
CNA	Linux	Linux	unaffected 6.1.176 6.1.* semver	Not specified
CNA	Linux	Linux	unaffected 6.6.143 6.6.* semver	Not specified
CNA	Linux	Linux	unaffected 6.12.94 6.12.* semver	Not specified
CNA	Linux	Linux	unaffected 6.18.36 6.18.* semver	Not specified
CNA	Linux	Linux	unaffected 7.0.13 7.0.* semver	Not specified
CNA	Linux	Linux	unaffected 7.1 * original_commit_for_fix	Not specified

References

Reference	Source	Link	Tags
git.kernel.org/stable/c/b781f90a9528555c709e59789550893581ef0be4	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/adf67034b1f61f7119295208085bfd43f85f56af	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/ee9cfcf77a8e8af637396dc00966df5f701e661c	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/7ae95c0275c330b5dbae806f8e431720edad776f	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/bb6f705b73b5f191f14ad004e2c8c4b615806187	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/a2de1d71891a038a9346b2c1a72b88c8350f2479	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/7fc4fab4acc307ad2903312c195872b2953d32c3	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/c90954cdea4d6998ec345de0d840d030c145b89e	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.