PT-2026-52231 · Linux · Linux
Published
2026-06-25
·
Updated
2026-06-25
·
CVE-2026-53135
None
No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Fix NULL deref and buffer over-read in SDP debugfs
[Why & How]
dp sdp message debugfs write() dereferences connector->base.state->crtc
without checking for NULL. A connector can be connected but not bound to
any CRTC (e.g. after hot-plug before the next atomic commit), causing a
kernel crash when writing to the sdp message debugfs node.
The function also ignores the user-provided size argument and always
passes 36 bytes to copy from user(), reading past the user buffer when
size < 36.
Fix both issues by:
- Returning -ENODEV when connector->base.state or state->crtc is NULL
- Clamping write size to min(size, sizeof(data))
(cherry picked from commit 6ab4c36a522842ff70474a1c0af2e40e50fc8300)
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Linux