CVE-2026-46245 in Linux
Summary
by MITRE • 06/03/2026
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Fix dc_link NULL handling in HPD init
amdgpu_dm_hpd_init() may see connectors without a valid dc_link.
The code already checks dc_link for the polling decision, but later unconditionally dereferences it when setting up HPD interrupts.
Assign dc_link early and skip connectors where it is NULL.
Fixes the below: drivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm_irq.c:940 amdgpu_dm_hpd_init() error: we previously assumed 'dc_link' could be null (see line 931)
drivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm_irq.c 923 /* 924 * Analog connectors may be hot-plugged unlike other connector 925 * types that don't support HPD. Only poll analog connectors. 926 */ 927 use_polling |= 928 amdgpu_dm_connector->dc_link && ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The patch adds this NULL check but hopefully it can be removed
929 dc_connector_supports_analog(amdgpu_dm_connector->dc_link->link_id.id); 930 931 dc_link = amdgpu_dm_connector->dc_link;
dc_link assigned here.
932 933 /* 934 * Get a base driver irq reference for hpd ints for the lifetime 935 * of dm. Note that only hpd interrupt types are registered with 936 * base driver; hpd_rx types aren't. IOW, amdgpu_irq_get/put on 937 * hpd_rx isn't available. DM currently controls hpd_rx 938 * explicitly with dc_interrupt_set() 939 */ --> 940 if (dc_link->irq_source_hpd != DC_IRQ_SOURCE_INVALID) {
^^^^^^^^^^^^^^^^^^^^^^^ If it's NULL then we are trouble because we dereference it here.
941 irq_type = dc_link->irq_source_hpd - DC_IRQ_SOURCE_HPD1; 942 /* 943 * TODO: There's a mismatch between mode_info.num_hpd 944 * and what bios reports as the # of connectors with hpd
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 06/03/2026
This vulnerability exists in the amdgpu display driver within the linux kernel affecting the drm/amd/display subsystem. The issue stems from improper handling of null dc_link pointers during hot-plug detection initialization. The amdgpu_dm_hpd_init() function processes connectors without ensuring that dc_link is properly initialized for all cases, creating a potential null pointer dereference scenario. The code performs an initial check for dc_link validity when determining polling behavior but fails to maintain this validation when subsequently setting up hot-plug detection interrupts. This flaw violates the principle of defensive programming and creates a direct path for system instability when encountering connectors without valid dc_link references.
The technical execution of this vulnerability occurs at line 940 in the amdgpu_dm_irq.c file where the code unconditionally dereferences dc_link without prior validation. While the code does assign dc_link at line 931, this assignment happens after the initial polling decision logic, leaving a window where connectors without valid dc_link references can proceed to the interrupt setup phase. This represents a classic null pointer dereference vulnerability that can lead to kernel panics and system crashes. The issue is particularly concerning in display subsystems where hot-plug detection is critical for proper device management and user experience.
The operational impact of this vulnerability extends beyond simple system crashes to potentially compromise the entire graphics subsystem. When the kernel encounters a connector without a valid dc_link, the subsequent dereference causes immediate kernel oops or panic conditions, effectively disabling display functionality until system reboot. This vulnerability affects all systems using AMD graphics hardware with the amdgpu driver, particularly impacting desktop and server environments where dynamic display configuration is common. The issue manifests during system initialization or when display hot-plug events occur, making it a persistent threat to system stability and reliability. From a cybersecurity perspective, this represents a denial-of-service vulnerability that could be exploited by malicious actors to disrupt system operations.
The fix implemented addresses this vulnerability by ensuring dc_link is assigned early in the process and by adding proper null checks before interrupt setup. This approach aligns with common security practices for preventing null pointer dereferences and follows the principle of least privilege in kernel space operations. The patch maintains the existing logic flow while adding necessary validation steps that prevent the execution path leading to the null dereference. This vulnerability maps to CWE-476 which specifically addresses null pointer dereference issues in software development. The fix also demonstrates adherence to ATT&CK technique T1499.004 which involves system disruption through kernel-level vulnerabilities. The solution ensures that only valid dc_link references proceed to interrupt configuration, thereby maintaining system integrity and preventing unauthorized access to kernel memory through malformed display connector handling.