Skip to main content

Linux Kernel CVE-2026-53135

| EUVDEUVD-2026-39340 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-mmv6-wm63-ppr6
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
4.1 MEDIUM

Debugfs writes require root/CAP_SYS_ADMIN on hardened systems (PR:H); NULL deref path needs specific hotplug timing state (AC:H); no C/I impact.

3.1 AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 07, 2026 - 17:12 vuln.today
CVSS changed
Jul 07, 2026 - 17:07 NVD
5.5 (MEDIUM)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 nvd
MEDIUM 5.5
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Fix NULL deref and buffer over-read in SDP debugfs

[Why & How] dp_sdp_message_debugfs_write() dereferences connector->base.state->crtc without checking for NULL. A connector can be connected but not bound to any CRTC (e.g. after hot-plug before the next atomic commit), causing a kernel crash when writing to the sdp_message debugfs node.

The function also ignores the user-provided size argument and always passes 36 bytes to copy_from_user(), reading past the user buffer when size < 36.

Fix both issues by:

  • Returning -ENODEV when connector->base.state or state->crtc is NULL
  • Clamping write_size to min(size, sizeof(data))

(cherry picked from commit 6ab4c36a522842ff70474a1c0af2e40e50fc8300)

AnalysisAI

NULL pointer dereference and buffer over-read in the Linux kernel's AMD display driver (drm/amd/display) can be triggered by a local user writing to the sdp_message debugfs node, causing a kernel panic and denial of service. The dp_sdp_message_debugfs_write() function fails to check whether connector->base.state->crtc is NULL - a valid transient state after GPU hotplug before an atomic commit - and unconditionally passes 36 bytes to copy_from_user() regardless of the caller-provided size, enabling a second over-read path. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local privileged access
Delivery
Mount/access debugfs on AMD GPU system
Exploit
Trigger display hotplug event
Execution
Write to sdp_message debugfs node
Persist
Dereference NULL crtc pointer
Impact
Kernel panic / system crash

Vulnerability AssessmentAI

Exploitation Exploitation requires all of the following: (1) local write access to the kernel's debugfs interface, specifically the sdp_message node under /sys/kernel/debug/dri/ - on most production Linux systems debugfs requires root or CAP_SYS_ADMIN, limiting this to privileged local accounts; (2) AMD GPU hardware with a DisplayPort-capable display connector present in the system; (3) the connector must be in the transient state of being connected but not yet bound to a CRTC, which occurs after a hotplug event and before the next atomic modeset commit. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is constrained by multiple limiting factors despite the A:H (Availability: High) CVSS rating. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local user with write access to the kernel's debugfs filesystem (e.g., /sys/kernel/debug/dri/0/sdp_message) on a system with an AMD GPU writes fewer than 36 bytes to the sdp_message node immediately after a display hotplug event before the compositor performs an atomic commit. The kernel dereferences the NULL crtc pointer in dp_sdp_message_debugfs_write(), triggering a NULL pointer dereference kernel oops and crashing the system. …
Remediation The primary fix is to upgrade to a patched Linux kernel version for the applicable stable branch: 5.10.259 or later, 5.15.210 or later, 6.1.176 or later, 6.6.143 or later, 6.12.94 or later, 6.18.36 or later, 7.0.13 or later, or 7.1 final. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Amd

View all
CVE-2021-22986 CRITICAL POC
9.8 Mar 31

On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.

CVE-2020-6103 CRITICAL POC
9.9 Jul 20

An exploitable code execution vulnerability exists in the Shader functionality of AMD Radeon DirectX 11 Driver atidxx64.

CVE-2020-6102 CRITICAL POC
9.9 Jul 20

An exploitable code execution vulnerability exists in the Shader functionality of AMD Radeon DirectX 11 Driver atidxx64.

CVE-2020-6101 CRITICAL POC
9.9 Jul 20

An exploitable code execution vulnerability exists in the Shader functionality of AMD Radeon DirectX 11 Driver atidxx64.

CVE-2020-6100 CRITICAL POC
9.9 Jul 20

An exploitable memory corruption vulnerability exists in AMD atidxx64.dll 26.20.15019.19000 graphics driver. Rated criti

CVE-2018-6546 CRITICAL POC
9.8 Apr 13

plays_service.exe in the plays.tv service before 1.27.7.0, as distributed in AMD driver-installation packages and Gaming

CVE-2021-3653 HIGH POC
8.8 Sep 29

A flaw was found in the KVM's AMD code for supporting SVM nested virtualization. Rated high severity (CVSS 8.8), this vu

CVE-2020-12138 HIGH POC
8.8 Apr 27

AMD ATI atillk64.sys 5.11.9.0 allows low-privileged users to interact directly with physical memory by calling one of se

CVE-2019-5098 HIGH POC
8.6 Dec 05

An exploitable out-of-bounds read vulnerability exists in AMD ATIDXX64.DLL driver, version 26.20.13001.29010. Rated high

CVE-2015-7724 HIGH POC
7.8 Jun 07

AMD fglrx-driver before 15.9 allows local users to gain privileges via a symlink attack. Rated high severity (CVSS 7.8),

CVE-2015-7723 HIGH POC
7.8 Jun 07

AMD fglrx-driver before 15.7 allows local users to gain privileges via a symlink attack. Rated high severity (CVSS 7.8),

CVE-2023-1048 HIGH POC
7.8 Feb 26

A vulnerability, which was classified as critical, has been found in TechPowerUp Ryzen DRAM Calculator 1.2.0.5.sys. Rate

Share

CVE-2026-53135 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy