CVE-2026-53136 - Vulnerability Details

- drm/amd/display: Clamp VBIOS HDMI retimer register count to array size

Description

In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Clamp VBIOS HDMI retimer register count to array size

[Why & How]
The VBIOS integrated info tables (v1_11 and v2_1) contain HdmiRegNum and
Hdmi6GRegNum fields that are used as loop bounds when copying retimer I2C
register settings into fixed-size arrays (dp*_ext_hdmi_reg_settings[9]
and dp*_ext_hdmi_6g_reg_settings[3]). These u8 fields are not validated
before use, so a malformed VBIOS can specify values up to 255, causing an
out-of-bounds heap write during driver probe.

Clamp each register count to the destination array size using min_t()
before the copy loops, in both get_integrated_info_v11() and
get_integrated_info_v2_1().

(cherry picked from commit 5a7f0ef90195940c54b0f5bb85b87da55f038c69)

Published: 2026-06-25

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`1e8635ea0ea370bf4f0f2b2f1b3eb61474dd962a`	affected	< 029571d51140650783be4fb98fe7cb4754752086
`1e8635ea0ea370bf4f0f2b2f1b3eb61474dd962a`	affected	< 5f8b39452fb16f507c9e4d8b4a83ce27e893307c
`1e8635ea0ea370bf4f0f2b2f1b3eb61474dd962a`	affected	< 4d1c3c26c2ab1842e139e61983395d64bd2e518b
`1e8635ea0ea370bf4f0f2b2f1b3eb61474dd962a`	affected	< d6be8e59af412623e3d874be3a048406c0edfe60
`1e8635ea0ea370bf4f0f2b2f1b3eb61474dd962a`	affected	< 3f32d52ec604c659725d865cf8cc6a17a33f9c6a
`1e8635ea0ea370bf4f0f2b2f1b3eb61474dd962a`	affected	< 8aaa7e317fbd4beb9c6a9f77aa4cf52fae78b117
`1e8635ea0ea370bf4f0f2b2f1b3eb61474dd962a`	affected	< fb0707ce00eef4e2d60c3020e1c0432739703e4a

Linux

affected

Version	Status	Constraints
`4.15`	affected	—
`0`	unaffected	< 4.15
`5.15.210`	unaffected	≤ 5.15.*
`6.1.176`	unaffected	≤ 6.1.*
`6.6.143`	unaffected	≤ 6.6.*
`6.12.94`	unaffected	≤ 6.12.*
`6.18.36`	unaffected	≤ 6.18.*
`7.0.13`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,029571d51140650783be4fb98fe7cb4754752086)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,5f8b39452fb16f507c9e4d8b4a83ce27e893307c)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,4d1c3c26c2ab1842e139e61983395d64bd2e518b)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,d6be8e59af412623e3d874be3a048406c0edfe60)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,3f32d52ec604c659725d865cf8cc6a17a33f9c6a)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,8aaa7e317fbd4beb9c6a9f77aa4cf52fae78b117)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,fb0707ce00eef4e2d60c3020e1c0432739703e4a)`	affected	code_commit	—
`[0,5.15.210)`	affected	semver	—
`[0,6.1.176)`	affected	semver	—
`[0,6.6.143)`	affected	semver	—
`[0,6.12.94)`	affected	semver	—
`[0,6.18.36)`	affected	semver	—
`[0,7.0.13)`	affected	semver	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[5.15.210,5.15.*]`	unaffected	semver	—
`[6.1.176,6.1.*]`	unaffected	semver	—
`[6.6.143,6.6.*]`	unaffected	semver	—
`[6.12.94,6.12.*]`	unaffected	semver	—
`[6.18.36,6.18.*]`	unaffected	semver	—
`[7.0.13,7.0.*]`	unaffected	semver	—
`[7.1,*]`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00172.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/029571d51140650783be4fb98fe7cb4754752086
https://git.kernel.org/stable/c/3f32d52ec604c659725d865cf8cc6a17a33f9c6a
https://git.kernel.org/stable/c/4d1c3c26c2ab1842e139e61983395d64bd2e518b
https://git.kernel.org/stable/c/5f8b39452fb16f507c9e4d8b4a83ce27e893307c
https://git.kernel.org/stable/c/8aaa7e317fbd4beb9c6a9f77aa4cf52fae78b117
https://git.kernel.org/stable/c/d6be8e59af412623e3d874be3a048406c0edfe60
https://git.kernel.org/stable/c/fb0707ce00eef4e2d60c3020e1c0432739703e4a
https://lore.kernel.org/linux-cve-announce/2026062543-CVE-2026-53136-b8ab@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-53136
https://www.cve.org/CVERecord?id=CVE-2026-53136

History

Fri, 26 Jun 2026 15:15:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-122

Fri, 26 Jun 2026 12:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-1284
References		https://lore.kernel.org/linux-cve-announce/2026062543-CVE-2026-53136-b8ab@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-53136 https://www.cve.org/CVERecord?id=CVE-2026-53136

Thu, 25 Jun 2026 11:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-122

Thu, 25 Jun 2026 09:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Clamp VBIOS HDMI retimer register count to array size [Why & How] The VBIOS integrated info tables (v1_11 and v2_1) contain HdmiRegNum and Hdmi6GRegNum fields that are used as loop bounds when copying retimer I2C register settings into fixed-size arrays (dp_ext_hdmi_reg_settings[9] and dp_ext_hdmi_6g_reg_settings[3]). These u8 fields are not validated before use, so a malformed VBIOS can specify values up to 255, causing an out-of-bounds heap write during driver probe. Clamp each register count to the destination array size using min_t() before the copy loops, in both get_integrated_info_v11() and get_integrated_info_v2_1(). (cherry picked from commit 5a7f0ef90195940c54b0f5bb85b87da55f038c69)
Title		drm/amd/display: Clamp VBIOS HDMI retimer register count to array size
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/029571d51140650783be4fb98fe7cb4754752086 https://git.kernel.org/stable/c/3f32d52ec604c659725d865cf8cc6a17a33f9c6a https://git.kernel.org/stable/c/4d1c3c26c2ab1842e139e61983395d64bd2e518b https://git.kernel.org/stable/c/5f8b39452fb16f507c9e4d8b4a83ce27e893307c https://git.kernel.org/stable/c/8aaa7e317fbd4beb9c6a9f77aa4cf52fae78b117 https://git.kernel.org/stable/c/d6be8e59af412623e3d874be3a048406c0edfe60 https://git.kernel.org/stable/c/fb0707ce00eef4e2d60c3020e1c0432739703e4a

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-25T08:38:25.097Z

Updated: 2026-06-29T04:18:52.196Z

Reserved: 2026-06-09T07:44:35.387Z

Link: CVE-2026-53136

Vulnrichment

No data.

NVD

No data.

Redhat

Severity :

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-53136 - Bugzilla

OpenCVE Enrichment

Updated: 2026-06-26T16:45:03Z

Weaknesses

CWE-1284

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object