Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Debugfs writes require root/CAP_SYS_ADMIN on hardened systems (PR:H); NULL deref path needs specific hotplug timing state (AC:H); no C/I impact.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Fix NULL deref and buffer over-read in SDP debugfs
[Why & How] dp_sdp_message_debugfs_write() dereferences connector->base.state->crtc without checking for NULL. A connector can be connected but not bound to any CRTC (e.g. after hot-plug before the next atomic commit), causing a kernel crash when writing to the sdp_message debugfs node.
The function also ignores the user-provided size argument and always passes 36 bytes to copy_from_user(), reading past the user buffer when size < 36.
Fix both issues by:
- Returning -ENODEV when connector->base.state or state->crtc is NULL
- Clamping write_size to min(size, sizeof(data))
(cherry picked from commit 6ab4c36a522842ff70474a1c0af2e40e50fc8300)
AnalysisAI
NULL pointer dereference and buffer over-read in the Linux kernel's AMD display driver (drm/amd/display) can be triggered by a local user writing to the sdp_message debugfs node, causing a kernel panic and denial of service. The dp_sdp_message_debugfs_write() function fails to check whether connector->base.state->crtc is NULL - a valid transient state after GPU hotplug before an atomic commit - and unconditionally passes 36 bytes to copy_from_user() regardless of the caller-provided size, enabling a second over-read path. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires all of the following: (1) local write access to the kernel's debugfs interface, specifically the sdp_message node under /sys/kernel/debug/dri/ - on most production Linux systems debugfs requires root or CAP_SYS_ADMIN, limiting this to privileged local accounts; (2) AMD GPU hardware with a DisplayPort-capable display connector present in the system; (3) the connector must be in the transient state of being connected but not yet bound to a CRTC, which occurs after a hotplug event and before the next atomic modeset commit. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Real-world risk is constrained by multiple limiting factors despite the A:H (Availability: High) CVSS rating. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local user with write access to the kernel's debugfs filesystem (e.g., /sys/kernel/debug/dri/0/sdp_message) on a system with an AMD GPU writes fewer than 36 bytes to the sdp_message node immediately after a display hotplug event before the compositor performs an atomic commit. The kernel dereferences the NULL crtc pointer in dp_sdp_message_debugfs_write(), triggering a NULL pointer dereference kernel oops and crashing the system. … |
| Remediation | The primary fix is to upgrade to a patched Linux kernel version for the applicable stable branch: 5.10.259 or later, 5.15.210 or later, 6.1.176 or later, 6.6.143 or later, 6.12.94 or later, 6.18.36 or later, 7.0.13 or later, or 7.1 final. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.
An exploitable code execution vulnerability exists in the Shader functionality of AMD Radeon DirectX 11 Driver atidxx64.
An exploitable code execution vulnerability exists in the Shader functionality of AMD Radeon DirectX 11 Driver atidxx64.
An exploitable code execution vulnerability exists in the Shader functionality of AMD Radeon DirectX 11 Driver atidxx64.
An exploitable memory corruption vulnerability exists in AMD atidxx64.dll 26.20.15019.19000 graphics driver. Rated criti
plays_service.exe in the plays.tv service before 1.27.7.0, as distributed in AMD driver-installation packages and Gaming
A flaw was found in the KVM's AMD code for supporting SVM nested virtualization. Rated high severity (CVSS 8.8), this vu
AMD ATI atillk64.sys 5.11.9.0 allows low-privileged users to interact directly with physical memory by calling one of se
An exploitable out-of-bounds read vulnerability exists in AMD ATIDXX64.DLL driver, version 26.20.13001.29010. Rated high
AMD fglrx-driver before 15.9 allows local users to gain privileges via a symlink attack. Rated high severity (CVSS 7.8),
AMD fglrx-driver before 15.7 allows local users to gain privileges via a symlink attack. Rated high severity (CVSS 7.8),
A vulnerability, which was classified as critical, has been found in TechPowerUp Ryzen DRAM Calculator 1.2.0.5.sys. Rate
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39340
GHSA-mmv6-wm63-ppr6