Skip to main content

Linux Kernel CVE-2026-53138

| EUVDEUVD-2026-39343 HIGH
Out-of-bounds Read (CWE-125)
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-qc6f-vg59-3945
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
vuln.today AI
5.1 MEDIUM

Supplying a malformed VBIOS requires privileged control over the firmware image (PR:H); vector is local, the OOB read is small (C:L), and the primary impact is a probe-time hang (A:H).

3.1 AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 07, 2026 - 16:55 vuln.today
CVSS changed
Jul 07, 2026 - 16:52 NVD
7.1 (HIGH)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 nvd
HIGH 7.1
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Bound VBIOS record-chain walk loops

[Why & How] All record-chain walk loops in bios_parser.c and bios_parser2.c use for(;;) and only terminate on a 0xFF record_type sentinel or zero record_size. A malformed VBIOS image missing the terminator record causes unbounded iteration at probe time, potentially hundreds of thousands of iterations with record_size=1. In the final iterations near the BIOS image boundary, struct casts beyond the 2-byte header validated by GET_IMAGE can also read out of bounds.

Cap all 14 record-chain walk loops to BIOS_MAX_NUM_RECORD (256) iterations. The atombios.h defines up to 22 distinct record types and atomfirmware.h has 13. Assuming an average of less than 10 records per type (which is reasonable since most are connector- based) 256 is a generous upper bound.

(cherry picked from commit 95700a3d660287ed657d6892f7be9ffc0e294a93)

AnalysisAI

Out-of-bounds read and unbounded-iteration denial of service in the Linux kernel's AMD Display (amdgpu DC) driver arises when the bios_parser/bios_parser2 code walks VBIOS record chains that lack a proper 0xFF terminator record. A local attacker able to supply a malformed VBIOS image can force hundreds of thousands of probe-time iterations (with record_size=1) and, near the image boundary, trigger struct casts that read past the 2-byte header validated by GET_IMAGE. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local privileged access to target
Delivery
Supply malformed VBIOS lacking terminator record
Exploit
Trigger unbounded record-chain walk at amdgpu probe
Execution
Loop casts bytes past validated header
Impact
Probe hang plus small out-of-bounds kernel read

Vulnerability AssessmentAI

Exploitation Exploitation requires the amdgpu AMD Display Core driver to probe a maliciously crafted VBIOS/atombios image whose record chain is missing the 0xFF terminator record (or presents record_size=1 without termination); this is a firmware-parsing bug reachable at device/driver probe time, not over any network. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H, score 7.1) frames this as a local, low-privilege issue with high confidentiality and availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local administrator or an attacker with control of the GPU firmware/ROM (for example via a malicious passthrough device or a crafted VBIOS-override file) presents a VBIOS image whose record chain omits the terminating 0xFF record. When the amdgpu driver probes the device, the parser loops uncontrollably and casts bytes past the validated header, hanging the boot/probe and reading a small amount of adjacent kernel memory. …
Remediation Vendor-released patch: upgrade to a fixed stable kernel - 7.1, 7.0.13, 6.18.36, or 6.12.94 (or later within each series), which cap all 14 record-chain walk loops at BIOS_MAX_NUM_RECORD (256) iterations. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Linux systems with AMD GPUs in production and development environments. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Amd

View all
CVE-2021-22986 CRITICAL POC
9.8 Mar 31

On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.

CVE-2020-6103 CRITICAL POC
9.9 Jul 20

An exploitable code execution vulnerability exists in the Shader functionality of AMD Radeon DirectX 11 Driver atidxx64.

CVE-2020-6102 CRITICAL POC
9.9 Jul 20

An exploitable code execution vulnerability exists in the Shader functionality of AMD Radeon DirectX 11 Driver atidxx64.

CVE-2020-6101 CRITICAL POC
9.9 Jul 20

An exploitable code execution vulnerability exists in the Shader functionality of AMD Radeon DirectX 11 Driver atidxx64.

CVE-2020-6100 CRITICAL POC
9.9 Jul 20

An exploitable memory corruption vulnerability exists in AMD atidxx64.dll 26.20.15019.19000 graphics driver. Rated criti

CVE-2018-6546 CRITICAL POC
9.8 Apr 13

plays_service.exe in the plays.tv service before 1.27.7.0, as distributed in AMD driver-installation packages and Gaming

CVE-2021-3653 HIGH POC
8.8 Sep 29

A flaw was found in the KVM's AMD code for supporting SVM nested virtualization. Rated high severity (CVSS 8.8), this vu

CVE-2020-12138 HIGH POC
8.8 Apr 27

AMD ATI atillk64.sys 5.11.9.0 allows low-privileged users to interact directly with physical memory by calling one of se

CVE-2019-5098 HIGH POC
8.6 Dec 05

An exploitable out-of-bounds read vulnerability exists in AMD ATIDXX64.DLL driver, version 26.20.13001.29010. Rated high

CVE-2015-7724 HIGH POC
7.8 Jun 07

AMD fglrx-driver before 15.9 allows local users to gain privileges via a symlink attack. Rated high severity (CVSS 7.8),

CVE-2015-7723 HIGH POC
7.8 Jun 07

AMD fglrx-driver before 15.7 allows local users to gain privileges via a symlink attack. Rated high severity (CVSS 7.8),

CVE-2023-1048 HIGH POC
7.8 Feb 26

A vulnerability, which was classified as critical, has been found in TechPowerUp Ryzen DRAM Calculator 1.2.0.5.sys. Rate

Share

CVE-2026-53138 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy