CVE-2026-53330 in Linuxinfo

Summary

by MITRE • 07/01/2026

In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Fix out-of-bounds read in dp_get_eq_aux_rd_interval()

[Why & How]
The aux_rd_interval array in struct dc_lttpr_caps is declared with MAX_REPEATER_CNT - 1 (7) elements, indexed 0..6. However, the offset parameter passed to dp_get_eq_aux_rd_interval() can be as large as MAX_REPEATER_CNT (8) when a sink reports 8 LTTPR repeaters via DPCD. This leads to an out-of-bounds read of aux_rd_interval[7] when offset
is 8.

Fix this by growing aux_rd_interval to MAX_REPEATER_CNT elements to accommodate the full range of valid repeater counts defined by the DP spec.

(cherry picked from commit a55a458a8df37a65ffda5cf721d554a8f74f6b04)

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/01/2026

This vulnerability exists within the AMD display driver component of the Linux kernel, specifically in the drm/amd/display subsystem where display port communication is handled. The issue manifests as an out-of-bounds memory read operation that occurs during the processing of Display Port link training parameters. The flaw stems from a mismatch between the declared array size and the actual range of values that can be processed by the function, creating a potential security risk through memory corruption or information disclosure.

The technical root cause involves the dc_lttpr_caps structure which contains an aux_rd_interval array with only seven elements indexed from zero to six. However, the dp_get_eq_aux_rd_interval() function receives an offset parameter that can legitimately reach up to eight when dealing with Display Port sinks that report eight LTTPR (Link Training Termination and Pre-amplification Repeater) devices through DPCD (Display Port Configuration Data). This discrepancy creates a scenario where the function attempts to access aux_rd_interval[7] when the offset parameter equals eight, resulting in an out-of-bounds memory read.

The operational impact of this vulnerability extends beyond simple memory access violations as it represents a classic buffer over-read condition that could potentially be exploited to gain unauthorized information access or cause system instability. This type of flaw aligns with CWE-129, which describes improper validation of array indices, and falls under ATT&CK technique T1068 for locally executed code exploitation. The vulnerability affects systems using AMD graphics hardware in Linux environments where Display Port connections are established with devices that support multiple repeaters.

The fix implemented addresses this by expanding the aux_rd_interval array to accommodate the full valid range of repeater counts as defined by the Display Port specification, growing it from MAX_REPEATER_CNT - 1 elements to MAX_REPEATER_CNT elements. This change ensures that when offset parameters reach their maximum legitimate value of eight, the memory access remains within bounds. The solution follows standard security practices for buffer management and aligns with industry recommendations for preventing out-of-bounds read conditions. The cherry-picked commit ensures this fix is properly integrated into the kernel codebase while maintaining compatibility with existing functionality.

This vulnerability demonstrates how seemingly minor inconsistencies in array sizing can create significant security implications in kernel space drivers, particularly those handling hardware communication protocols where parameter validation is critical. The fix maintains backward compatibility while addressing the specific boundary condition that could be exploited by malicious actors or inadvertently triggered through normal system operation. System administrators should ensure this patch is applied to all Linux systems running AMD graphics drivers to prevent potential exploitation of this out-of-bounds read condition.

Responsible

Linux

Reservation

06/09/2026

Disclosure

07/01/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!