Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack requires attacker-controlled HDMI repeater hardware, so AV:P (physical) not AV:L; no OS credentials needed (PR:N); kernel heap overwrite yields full C/I/A impact.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Clamp HDMI HDCP2 rx_id_list read to buffer size
[Why & How] During HDCP 2.x repeater authentication over HDMI, the driver reads the sink's RxStatus register and extracts a 10-bit message size field (max value 1023). This value is used as the read length for the ReceiverID list without being clamped to the size of the destination buffer rx_id_list[177]. A malicious HDMI repeater could advertise a message size larger than the buffer, causing an out-of-bounds write during the I2C read.
Clamp the read length in mod_hdcp_read_rx_id_list() to the size of the rx_id_list buffer, matching the approach already used in the DP branch.
(cherry picked from commit 229212219e4247d9486f8ba41ef087358490be09)
AnalysisAI
Out-of-bounds kernel heap write in the AMD Display (amdgpu) driver's HDMI HDCP 2.x repeater authentication path affects Linux kernels from 5.6 through the 7.1 release candidates. When reading a downstream sink's RxStatus register, the driver in mod_hdcp_read_rx_id_list() uses an attacker-influenced 10-bit message-size field (up to 1023 bytes) as the I2C read length without bounding it to the 177-byte rx_id_list buffer, so a malicious HDMI repeater can force a write past the buffer and corrupt kernel memory. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires a malicious or compromised HDMI repeater/sink device physically attached to a system running the affected Linux amdgpu driver, and the driver must initiate HDCP 2.x repeater authentication over that HDMI link. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed and lean toward low real-world urgency despite a 7.8 'High' CVSS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker builds or reflashes an HDMI repeater/splitter that reports an oversized ReceiverID message size (up to 1023 bytes) in its RxStatus register and connects it to a victim's AMD-GPU Linux machine. When the driver begins HDCP 2.x repeater authentication and reads the ReceiverID list, the oversized length overflows the 177-byte rx_id_list buffer, corrupting adjacent kernel heap memory and potentially enabling privilege escalation or a crash. … |
| Remediation | Apply the vendor-released kernel patch: upgrade to a fixed stable build - 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 7.0.13, or 6.18.36/7.1 or later - matching your kernel series, per the kernel.org stable commits (https://git.kernel.org/stable/c/1906064d50d194a145486e5caf3db3e708b6f6ef and siblings). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify and inventory Linux systems running kernel versions 5.6 through 7.1 with HDMI connectivity. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.
An exploitable code execution vulnerability exists in the Shader functionality of AMD Radeon DirectX 11 Driver atidxx64.
An exploitable code execution vulnerability exists in the Shader functionality of AMD Radeon DirectX 11 Driver atidxx64.
An exploitable code execution vulnerability exists in the Shader functionality of AMD Radeon DirectX 11 Driver atidxx64.
An exploitable memory corruption vulnerability exists in AMD atidxx64.dll 26.20.15019.19000 graphics driver. Rated criti
plays_service.exe in the plays.tv service before 1.27.7.0, as distributed in AMD driver-installation packages and Gaming
A flaw was found in the KVM's AMD code for supporting SVM nested virtualization. Rated high severity (CVSS 8.8), this vu
AMD ATI atillk64.sys 5.11.9.0 allows low-privileged users to interact directly with physical memory by calling one of se
An exploitable out-of-bounds read vulnerability exists in AMD ATIDXX64.DLL driver, version 26.20.13001.29010. Rated high
AMD fglrx-driver before 15.9 allows local users to gain privileges via a symlink attack. Rated high severity (CVSS 7.8),
AMD fglrx-driver before 15.7 allows local users to gain privileges via a symlink attack. Rated high severity (CVSS 7.8),
A vulnerability, which was classified as critical, has been found in TechPowerUp Ryzen DRAM Calculator 1.2.0.5.sys. Rate
Same weakness CWE-787 – Out-of-bounds Write
View allSame technique Memory Corruption
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39342
GHSA-36gr-gw56-g35v