drm/amd/display: Clamp VBIOS HDMI retimer register count to array size

Summary

CVE	CVE-2026-53136
State	PUBLISHED
Assigner	Linux
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-06-25 09:16:30 UTC
Updated	2026-06-25 09:16:30 UTC
Description	In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Clamp VBIOS HDMI retimer register count to array size [Why & How] The VBIOS integrated info tables (v1_11 and v2_1) contain HdmiRegNum and Hdmi6GRegNum fields that are used as loop bounds when copying retimer I2C register settings into fixed-size arrays (dp_ext_hdmi_reg_settings[9] and dp_ext_hdmi_6g_reg_settings[3]). These u8 fields are not validated before use, so a malformed VBIOS can specify values up to 255, causing an out-of-bounds heap write during driver probe. Clamp each register count to the destination array size using min_t() before the copy loops, in both get_integrated_info_v11() and get_integrated_info_v2_1(). (cherry picked from commit 5a7f0ef90195940c54b0f5bb85b87da55f038c69)

Risk And Classification

EPSS: 0.001720000 probability, percentile 0.069050000 (date 2026-06-27)

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Linux	Linux	affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 029571d51140650783be4fb98fe7cb4754752086 git	Not specified
CNA	Linux	Linux	affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 5f8b39452fb16f507c9e4d8b4a83ce27e893307c git	Not specified
CNA	Linux	Linux	affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 4d1c3c26c2ab1842e139e61983395d64bd2e518b git	Not specified
CNA	Linux	Linux	affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 d6be8e59af412623e3d874be3a048406c0edfe60 git	Not specified
CNA	Linux	Linux	affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 3f32d52ec604c659725d865cf8cc6a17a33f9c6a git	Not specified
CNA	Linux	Linux	affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 8aaa7e317fbd4beb9c6a9f77aa4cf52fae78b117 git	Not specified
CNA	Linux	Linux	affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 fb0707ce00eef4e2d60c3020e1c0432739703e4a git	Not specified
CNA	Linux	Linux	affected 5.15.210 semver	Not specified
CNA	Linux	Linux	affected 6.1.176 semver	Not specified
CNA	Linux	Linux	affected 6.6.143 semver	Not specified
CNA	Linux	Linux	affected 6.12.94 semver	Not specified
CNA	Linux	Linux	affected 6.18.36 semver	Not specified
CNA	Linux	Linux	affected 7.0.13 semver	Not specified
CNA	Linux	Linux	unaffected 5.15.210 5.15.* semver	Not specified
CNA	Linux	Linux	unaffected 6.1.176 6.1.* semver	Not specified
CNA	Linux	Linux	unaffected 6.6.143 6.6.* semver	Not specified
CNA	Linux	Linux	unaffected 6.12.94 6.12.* semver	Not specified
CNA	Linux	Linux	unaffected 6.18.36 6.18.* semver	Not specified
CNA	Linux	Linux	unaffected 7.0.13 7.0.* semver	Not specified
CNA	Linux	Linux	unaffected 7.1 * original_commit_for_fix	Not specified

References

Reference	Source	Link	Tags
git.kernel.org/stable/c/fb0707ce00eef4e2d60c3020e1c0432739703e4a	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/029571d51140650783be4fb98fe7cb4754752086	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/8aaa7e317fbd4beb9c6a9f77aa4cf52fae78b117	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/5f8b39452fb16f507c9e4d8b4a83ce27e893307c	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/4d1c3c26c2ab1842e139e61983395d64bd2e518b	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/d6be8e59af412623e3d874be3a048406c0edfe60	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/3f32d52ec604c659725d865cf8cc6a17a33f9c6a	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.