CVE-2026-53136

In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Clamp VBIOS HDMI retimer register count to array size

[Why & How] The VBIOS integrated info tables (v1 11 and v2 1) contain HdmiRegNum and Hdmi6GRegNum fields that are used as loop bounds when copying retimer I2C register settings into fixed-size arrays (dp* ext hdmi reg settings[9] and dp* ext hdmi 6g reg settings[3]). These u8 fields are not validated before use, so a malformed VBIOS can specify values up to 255, causing an out-of-bounds heap write during driver probe.

Clamp each register count to the destination array size using min t() before the copy loops, in both get integrated info v11() and get integrated info v2 1().

(cherry picked from commit 5a7f0ef90195940c54b0f5bb85b87da55f038c69)