Skip to main content

Linux Kernel EUVDEUVD-2026-39342

| CVE-2026-53137 HIGH
Out-of-bounds Write (CWE-787)
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-36gr-gw56-g35v
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
6.8 MEDIUM

Attack requires attacker-controlled HDMI repeater hardware, so AV:P (physical) not AV:L; no OS credentials needed (PR:N); kernel heap overwrite yields full C/I/A impact.

3.1 AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 07, 2026 - 16:53 vuln.today
CVSS changed
Jul 07, 2026 - 16:52 NVD
7.8 (HIGH)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 nvd
HIGH 7.8
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Clamp HDMI HDCP2 rx_id_list read to buffer size

[Why & How] During HDCP 2.x repeater authentication over HDMI, the driver reads the sink's RxStatus register and extracts a 10-bit message size field (max value 1023). This value is used as the read length for the ReceiverID list without being clamped to the size of the destination buffer rx_id_list[177]. A malicious HDMI repeater could advertise a message size larger than the buffer, causing an out-of-bounds write during the I2C read.

Clamp the read length in mod_hdcp_read_rx_id_list() to the size of the rx_id_list buffer, matching the approach already used in the DP branch.

(cherry picked from commit 229212219e4247d9486f8ba41ef087358490be09)

AnalysisAI

Out-of-bounds kernel heap write in the AMD Display (amdgpu) driver's HDMI HDCP 2.x repeater authentication path affects Linux kernels from 5.6 through the 7.1 release candidates. When reading a downstream sink's RxStatus register, the driver in mod_hdcp_read_rx_id_list() uses an attacker-influenced 10-bit message-size field (up to 1023 bytes) as the I2C read length without bounding it to the 177-byte rx_id_list buffer, so a malicious HDMI repeater can force a write past the buffer and corrupt kernel memory. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attach malicious HDMI repeater
Delivery
Trigger HDCP 2.x repeater authentication
Exploit
Advertise oversized RxStatus message size
Execution
Driver reads ReceiverID list past rx_id_list[177]
Persist
Out-of-bounds kernel heap write
Impact
Memory corruption or privilege escalation

Vulnerability AssessmentAI

Exploitation Requires a malicious or compromised HDMI repeater/sink device physically attached to a system running the affected Linux amdgpu driver, and the driver must initiate HDCP 2.x repeater authentication over that HDMI link. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and lean toward low real-world urgency despite a 7.8 'High' CVSS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker builds or reflashes an HDMI repeater/splitter that reports an oversized ReceiverID message size (up to 1023 bytes) in its RxStatus register and connects it to a victim's AMD-GPU Linux machine. When the driver begins HDCP 2.x repeater authentication and reads the ReceiverID list, the oversized length overflows the 177-byte rx_id_list buffer, corrupting adjacent kernel heap memory and potentially enabling privilege escalation or a crash. …
Remediation Apply the vendor-released kernel patch: upgrade to a fixed stable build - 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 7.0.13, or 6.18.36/7.1 or later - matching your kernel series, per the kernel.org stable commits (https://git.kernel.org/stable/c/1906064d50d194a145486e5caf3db3e708b6f6ef and siblings). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify and inventory Linux systems running kernel versions 5.6 through 7.1 with HDMI connectivity. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Amd

View all
CVE-2021-22986 CRITICAL POC
9.8 Mar 31

On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.

CVE-2020-6103 CRITICAL POC
9.9 Jul 20

An exploitable code execution vulnerability exists in the Shader functionality of AMD Radeon DirectX 11 Driver atidxx64.

CVE-2020-6102 CRITICAL POC
9.9 Jul 20

An exploitable code execution vulnerability exists in the Shader functionality of AMD Radeon DirectX 11 Driver atidxx64.

CVE-2020-6101 CRITICAL POC
9.9 Jul 20

An exploitable code execution vulnerability exists in the Shader functionality of AMD Radeon DirectX 11 Driver atidxx64.

CVE-2020-6100 CRITICAL POC
9.9 Jul 20

An exploitable memory corruption vulnerability exists in AMD atidxx64.dll 26.20.15019.19000 graphics driver. Rated criti

CVE-2018-6546 CRITICAL POC
9.8 Apr 13

plays_service.exe in the plays.tv service before 1.27.7.0, as distributed in AMD driver-installation packages and Gaming

CVE-2021-3653 HIGH POC
8.8 Sep 29

A flaw was found in the KVM's AMD code for supporting SVM nested virtualization. Rated high severity (CVSS 8.8), this vu

CVE-2020-12138 HIGH POC
8.8 Apr 27

AMD ATI atillk64.sys 5.11.9.0 allows low-privileged users to interact directly with physical memory by calling one of se

CVE-2019-5098 HIGH POC
8.6 Dec 05

An exploitable out-of-bounds read vulnerability exists in AMD ATIDXX64.DLL driver, version 26.20.13001.29010. Rated high

CVE-2015-7724 HIGH POC
7.8 Jun 07

AMD fglrx-driver before 15.9 allows local users to gain privileges via a symlink attack. Rated high severity (CVSS 7.8),

CVE-2015-7723 HIGH POC
7.8 Jun 07

AMD fglrx-driver before 15.7 allows local users to gain privileges via a symlink attack. Rated high severity (CVSS 7.8),

CVE-2023-1048 HIGH POC
7.8 Feb 26

A vulnerability, which was classified as critical, has been found in TechPowerUp Ryzen DRAM Calculator 1.2.0.5.sys. Rate

Share

EUVD-2026-39342 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy