Skip to main content

Linux Kernel CVE-2026-46263

| EUVDEUVD-2026-34125 HIGH
Out-of-bounds Read (CWE-125)
2026-06-03 Linux GHSA-8h36-wfww-p7v6
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 05, 2026 - 07:27 vuln.today
CVSS changed
Jun 05, 2026 - 07:22 NVD
7.8 (HIGH)
Patch available
Jun 03, 2026 - 19:01 EUVD
CVE Published
Jun 03, 2026 - 15:50 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 03, 2026 - 15:50 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Fix out-of-bounds stream encoder index v3

eng_id can be negative and that stream_enc_regs[] can be indexed out of bounds.

eng_id is used directly as an index into stream_enc_regs[], which has only 5 entries. When eng_id is 5 (ENGINE_ID_DIGF) or negative, this can access memory past the end of the array.

Add a bounds check using ARRAY_SIZE() before using eng_id as an index. The unsigned cast also rejects negative values.

This avoids out-of-bounds access.

Fixes the below smatch error: dcn*_resource.c: stream_encoder_create() may index stream_enc_regs[eng_id] out of bounds (size 5).

drivers/gpu/drm/amd/amdgpu/../display/dc/resource/dcn351/dcn351_resource.c 1246 static struct stream_encoder *dcn35_stream_encoder_create( 1247 enum engine_id eng_id, 1248 struct dc_context *ctx) 1249 {

...

1255 1256 /* Mapping of VPG, AFMT, DME register blocks to DIO block instance */ 1257 if (eng_id <= ENGINE_ID_DIGF) {

ENGINE_ID_DIGF is 5. should <= be <?

Unrelated but, ugh, why is Smatch saying that "eng_id" can be negative? end_id is type signed long, but there are checks in the caller which prevent it from being negative.

1258 vpg_inst = eng_id; 1259 afmt_inst = eng_id; 1260 } else 1261 return NULL; 1262

...

1281 1282 dcn35_dio_stream_encoder_construct(enc1, ctx, ctx->dc_bios, 1283 eng_id, vpg, afmt, --> 1284 &stream_enc_regs[eng_id], ^^^^^^^^^^^^^^^^^^^^^^^ This stream_enc_regs[] array has 5 elements so we are one element beyond the end of the array.

...

1287 return &enc1->base; 1288 }

v2: use explicit bounds check as suggested by Roman/Dan; avoid unsigned int cast

v3: The compiler already knows how to compare the two values, so the cast (int) is not needed. (Roman)

AnalysisAI

Out-of-bounds array access in the Linux kernel's AMD GPU display driver (drm/amd/display) allows local privileged users to trigger memory corruption via the dcn35_stream_encoder_create() function when eng_id equals ENGINE_ID_DIGF (value 5) or is negative, indexing past the 5-element stream_enc_regs[] array. The flaw stems from a faulty boundary check using <= instead of <, and no public exploit has been identified at time of analysis with an EPSS score of 0.02% (5th percentile) indicating very low exploitation probability.

Technical ContextAI

The vulnerability resides in drivers/gpu/drm/amd/amdgpu/../display/dc/resource/dcn351/dcn351_resource.c, part of the AMD Display Core Next (DCN) 3.5.1 stream encoder initialization path for AMD GPUs. The stream_enc_regs[] array contains register block mappings for the Digital Input Output (DIO) hardware blocks, with only 5 valid entries (ENGINE_ID_DIGA through ENGINE_ID_DIGE). The bug occurs because the conditional check uses <= ENGINE_ID_DIGF instead of <, and eng_id is typed as signed (enum engine_id), allowing both the value 5 and theoretically negative values to bypass the intended guard and reach the array indexing operation. While CWE was not assigned, this is a classic out-of-bounds read/write (CWE-125/CWE-787) discovered by the Smatch static analyzer in the kernel's drm subsystem affecting AMD GPU display initialization.

RemediationAI

Vendor-released patch is available - upgrade to a fixed Linux kernel: 6.12.75 (LTS), 6.18.14, 6.19.4, or 7.0+. The fix commits are available at https://git.kernel.org/stable/c/29f3824b08a98d41ecbbfd33580630d7607f962e, https://git.kernel.org/stable/c/263e28add4f4472cfa95150d218955d1945aa413, https://git.kernel.org/stable/c/ca3808d560ad946ab6d089fd1f5bee04b952ead4, and https://git.kernel.org/stable/c/abde491143e4e12eecc41337910aace4e8d59603 across the affected stable trees. For systems that cannot immediately patch, the only meaningful compensating control is to avoid loading the affected amdgpu driver on systems using DCN 3.5.1 hardware (e.g., blacklist amdgpu via modprobe.d), but this disables GPU acceleration and display output entirely on affected AMD platforms and is impractical for most workstation/laptop deployments. Distribution users should monitor their vendor security advisories (RHEL, Ubuntu USN, Debian DSA, SUSE SUSA) for backported fixes since downstream kernel updates typically lag upstream stable releases by days to weeks.

More in Amd

View all
CVE-2021-22986 CRITICAL POC
9.8 Mar 31

On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.

CVE-2020-6103 CRITICAL POC
9.9 Jul 20

An exploitable code execution vulnerability exists in the Shader functionality of AMD Radeon DirectX 11 Driver atidxx64.

CVE-2020-6102 CRITICAL POC
9.9 Jul 20

An exploitable code execution vulnerability exists in the Shader functionality of AMD Radeon DirectX 11 Driver atidxx64.

CVE-2020-6101 CRITICAL POC
9.9 Jul 20

An exploitable code execution vulnerability exists in the Shader functionality of AMD Radeon DirectX 11 Driver atidxx64.

CVE-2020-6100 CRITICAL POC
9.9 Jul 20

An exploitable memory corruption vulnerability exists in AMD atidxx64.dll 26.20.15019.19000 graphics driver. Rated criti

CVE-2018-6546 CRITICAL POC
9.8 Apr 13

plays_service.exe in the plays.tv service before 1.27.7.0, as distributed in AMD driver-installation packages and Gaming

CVE-2021-3653 HIGH POC
8.8 Sep 29

A flaw was found in the KVM's AMD code for supporting SVM nested virtualization. Rated high severity (CVSS 8.8), this vu

CVE-2020-12138 HIGH POC
8.8 Apr 27

AMD ATI atillk64.sys 5.11.9.0 allows low-privileged users to interact directly with physical memory by calling one of se

CVE-2019-5098 HIGH POC
8.6 Dec 05

An exploitable out-of-bounds read vulnerability exists in AMD ATIDXX64.DLL driver, version 26.20.13001.29010. Rated high

CVE-2015-7724 HIGH POC
7.8 Jun 07

AMD fglrx-driver before 15.9 allows local users to gain privileges via a symlink attack. Rated high severity (CVSS 7.8),

CVE-2015-7723 HIGH POC
7.8 Jun 07

AMD fglrx-driver before 15.7 allows local users to gain privileges via a symlink attack. Rated high severity (CVSS 7.8),

CVE-2023-1048 HIGH POC
7.8 Feb 26

A vulnerability, which was classified as critical, has been found in TechPowerUp Ryzen DRAM Calculator 1.2.0.5.sys. Rate

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Not-Affected

Share

CVE-2026-46263 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy