{"api_version":"1","generated_at":"2026-06-29T17:35:00+00:00","cve":"CVE-2026-53137","urls":{"html":"https://cve.report/CVE-2026-53137","api":"https://cve.report/api/cve/CVE-2026-53137.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-53137","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-53137"},"summary":{"title":"drm/amd/display: Clamp HDMI HDCP2 rx_id_list read to buffer size","description":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Clamp HDMI HDCP2 rx_id_list read to buffer size\n\n[Why & How]\nDuring HDCP 2.x repeater authentication over HDMI, the driver reads the\nsink's RxStatus register and extracts a 10-bit message size field (max\nvalue 1023). This value is used as the read length for the ReceiverID\nlist without being clamped to the size of the destination buffer\nrx_id_list[177]. A malicious HDMI repeater could advertise a message\nsize larger than the buffer, causing an out-of-bounds write during the\nI2C read.\n\nClamp the read length in mod_hdcp_read_rx_id_list() to the size of the\nrx_id_list buffer, matching the approach already used in the DP branch.\n\n(cherry picked from commit 229212219e4247d9486f8ba41ef087358490be09)","state":"PUBLISHED","assigner":"Linux","published_at":"2026-06-25 09:16:31","updated_at":"2026-06-25 09:16:31"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/964e50ef7b8f09815a7d05b8326af700f8d5bc96","name":"https://git.kernel.org/stable/c/964e50ef7b8f09815a7d05b8326af700f8d5bc96","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/f0f3981c43b32cadfe373d636d9e9ca522bb3702","name":"https://git.kernel.org/stable/c/f0f3981c43b32cadfe373d636d9e9ca522bb3702","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/79e0273272a05fb26f9b1e55bf1a52eefc3b7b35","name":"https://git.kernel.org/stable/c/79e0273272a05fb26f9b1e55bf1a52eefc3b7b35","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/98cfb7530ea91d8e5e928285cdce58e1131f6e83","name":"https://git.kernel.org/stable/c/98cfb7530ea91d8e5e928285cdce58e1131f6e83","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/bfba882cfcd08f6540f72f48e786b6404f5d2c5b","name":"https://git.kernel.org/stable/c/bfba882cfcd08f6540f72f48e786b6404f5d2c5b","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/91fb41218c413989d8b6c837748751454b452d68","name":"https://git.kernel.org/stable/c/91fb41218c413989d8b6c837748751454b452d68","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/3c4444aec06c74fbc05661f370954ac814963c38","name":"https://git.kernel.org/stable/c/3c4444aec06c74fbc05661f370954ac814963c38","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/1906064d50d194a145486e5caf3db3e708b6f6ef","name":"https://git.kernel.org/stable/c/1906064d50d194a145486e5caf3db3e708b6f6ef","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-53137","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-53137","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected eff682f83c9c2030761e7536c5d97e1b20f71c15 3c4444aec06c74fbc05661f370954ac814963c38 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected eff682f83c9c2030761e7536c5d97e1b20f71c15 91fb41218c413989d8b6c837748751454b452d68 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected eff682f83c9c2030761e7536c5d97e1b20f71c15 964e50ef7b8f09815a7d05b8326af700f8d5bc96 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected eff682f83c9c2030761e7536c5d97e1b20f71c15 79e0273272a05fb26f9b1e55bf1a52eefc3b7b35 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected eff682f83c9c2030761e7536c5d97e1b20f71c15 bfba882cfcd08f6540f72f48e786b6404f5d2c5b git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected eff682f83c9c2030761e7536c5d97e1b20f71c15 1906064d50d194a145486e5caf3db3e708b6f6ef git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected eff682f83c9c2030761e7536c5d97e1b20f71c15 98cfb7530ea91d8e5e928285cdce58e1131f6e83 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected eff682f83c9c2030761e7536c5d97e1b20f71c15 f0f3981c43b32cadfe373d636d9e9ca522bb3702 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 5.6","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.6 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.10.259 5.10.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.15.210 5.15.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.1.176 6.1.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.143 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.94 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.36 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0.13 7.0.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.1 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"53137","cve":"CVE-2026-53137","epss":"0.002120000","percentile":"0.114330000","score_date":"2026-06-28","updated_at":"2026-06-29 00:14:18"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"3c4444aec06c74fbc05661f370954ac814963c38","status":"affected","version":"eff682f83c9c2030761e7536c5d97e1b20f71c15","versionType":"git"},{"lessThan":"91fb41218c413989d8b6c837748751454b452d68","status":"affected","version":"eff682f83c9c2030761e7536c5d97e1b20f71c15","versionType":"git"},{"lessThan":"964e50ef7b8f09815a7d05b8326af700f8d5bc96","status":"affected","version":"eff682f83c9c2030761e7536c5d97e1b20f71c15","versionType":"git"},{"lessThan":"79e0273272a05fb26f9b1e55bf1a52eefc3b7b35","status":"affected","version":"eff682f83c9c2030761e7536c5d97e1b20f71c15","versionType":"git"},{"lessThan":"bfba882cfcd08f6540f72f48e786b6404f5d2c5b","status":"affected","version":"eff682f83c9c2030761e7536c5d97e1b20f71c15","versionType":"git"},{"lessThan":"1906064d50d194a145486e5caf3db3e708b6f6ef","status":"affected","version":"eff682f83c9c2030761e7536c5d97e1b20f71c15","versionType":"git"},{"lessThan":"98cfb7530ea91d8e5e928285cdce58e1131f6e83","status":"affected","version":"eff682f83c9c2030761e7536c5d97e1b20f71c15","versionType":"git"},{"lessThan":"f0f3981c43b32cadfe373d636d9e9ca522bb3702","status":"affected","version":"eff682f83c9c2030761e7536c5d97e1b20f71c15","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"5.6"},{"lessThan":"5.6","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"5.10.*","status":"unaffected","version":"5.10.259","versionType":"semver"},{"lessThanOrEqual":"5.15.*","status":"unaffected","version":"5.15.210","versionType":"semver"},{"lessThanOrEqual":"6.1.*","status":"unaffected","version":"6.1.176","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.143","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.94","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.36","versionType":"semver"},{"lessThanOrEqual":"7.0.*","status":"unaffected","version":"7.0.13","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.1","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.10.259","versionStartIncluding":"5.6","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.15.210","versionStartIncluding":"5.6","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.176","versionStartIncluding":"5.6","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.143","versionStartIncluding":"5.6","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.94","versionStartIncluding":"5.6","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.36","versionStartIncluding":"5.6","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0.13","versionStartIncluding":"5.6","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.1","versionStartIncluding":"5.6","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Clamp HDMI HDCP2 rx_id_list read to buffer size\n\n[Why & How]\nDuring HDCP 2.x repeater authentication over HDMI, the driver reads the\nsink's RxStatus register and extracts a 10-bit message size field (max\nvalue 1023). This value is used as the read length for the ReceiverID\nlist without being clamped to the size of the destination buffer\nrx_id_list[177]. A malicious HDMI repeater could advertise a message\nsize larger than the buffer, causing an out-of-bounds write during the\nI2C read.\n\nClamp the read length in mod_hdcp_read_rx_id_list() to the size of the\nrx_id_list buffer, matching the approach already used in the DP branch.\n\n(cherry picked from commit 229212219e4247d9486f8ba41ef087358490be09)"}],"providerMetadata":{"dateUpdated":"2026-06-25T08:38:25.977Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/3c4444aec06c74fbc05661f370954ac814963c38"},{"url":"https://git.kernel.org/stable/c/91fb41218c413989d8b6c837748751454b452d68"},{"url":"https://git.kernel.org/stable/c/964e50ef7b8f09815a7d05b8326af700f8d5bc96"},{"url":"https://git.kernel.org/stable/c/79e0273272a05fb26f9b1e55bf1a52eefc3b7b35"},{"url":"https://git.kernel.org/stable/c/bfba882cfcd08f6540f72f48e786b6404f5d2c5b"},{"url":"https://git.kernel.org/stable/c/1906064d50d194a145486e5caf3db3e708b6f6ef"},{"url":"https://git.kernel.org/stable/c/98cfb7530ea91d8e5e928285cdce58e1131f6e83"},{"url":"https://git.kernel.org/stable/c/f0f3981c43b32cadfe373d636d9e9ca522bb3702"}],"title":"drm/amd/display: Clamp HDMI HDCP2 rx_id_list read to buffer size","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-53137","datePublished":"2026-06-25T08:38:25.977Z","dateReserved":"2026-06-09T07:44:35.387Z","dateUpdated":"2026-06-25T08:38:25.977Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-25 09:16:31","lastModifiedDate":"2026-06-25 09:16:31","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"53137","Ordinal":"1","Title":"drm/amd/display: Clamp HDMI HDCP2 rx_id_list read to buffer size","CVE":"CVE-2026-53137","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"53137","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Clamp HDMI HDCP2 rx_id_list read to buffer size\n\n[Why & How]\nDuring HDCP 2.x repeater authentication over HDMI, the driver reads the\nsink's RxStatus register and extracts a 10-bit message size field (max\nvalue 1023). This value is used as the read length for the ReceiverID\nlist without being clamped to the size of the destination buffer\nrx_id_list[177]. A malicious HDMI repeater could advertise a message\nsize larger than the buffer, causing an out-of-bounds write during the\nI2C read.\n\nClamp the read length in mod_hdcp_read_rx_id_list() to the size of the\nrx_id_list buffer, matching the approach already used in the DP branch.\n\n(cherry picked from commit 229212219e4247d9486f8ba41ef087358490be09)","Type":"Description","Title":"drm/amd/display: Clamp HDMI HDCP2 rx_id_list read to buffer size"}]}}}