CVE-2026-46263 (GCVE-0-2026-46263)
Vulnerability from cvelistv5 – Published: 2026-06-03 15:50 – Updated: 2026-06-03 15:50
VLAI
Title
drm/amd/display: Fix out-of-bounds stream encoder index v3
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Fix out-of-bounds stream encoder index v3
eng_id can be negative and that stream_enc_regs[]
can be indexed out of bounds.
eng_id is used directly as an index into stream_enc_regs[], which has
only 5 entries. When eng_id is 5 (ENGINE_ID_DIGF) or negative, this can
access memory past the end of the array.
Add a bounds check using ARRAY_SIZE() before using eng_id as an index.
The unsigned cast also rejects negative values.
This avoids out-of-bounds access.
Fixes the below smatch error:
dcn*_resource.c: stream_encoder_create() may index
stream_enc_regs[eng_id] out of bounds (size 5).
drivers/gpu/drm/amd/amdgpu/../display/dc/resource/dcn351/dcn351_resource.c
1246 static struct stream_encoder *dcn35_stream_encoder_create(
1247 enum engine_id eng_id,
1248 struct dc_context *ctx)
1249 {
...
1255
1256 /* Mapping of VPG, AFMT, DME register blocks to DIO block instance */
1257 if (eng_id <= ENGINE_ID_DIGF) {
ENGINE_ID_DIGF is 5. should <= be <?
Unrelated but, ugh, why is Smatch saying that "eng_id" can be negative?
end_id is type signed long, but there are checks in the caller which prevent it from being negative.
1258 vpg_inst = eng_id;
1259 afmt_inst = eng_id;
1260 } else
1261 return NULL;
1262
...
1281
1282 dcn35_dio_stream_encoder_construct(enc1, ctx, ctx->dc_bios,
1283 eng_id, vpg, afmt,
--> 1284 &stream_enc_regs[eng_id],
^^^^^^^^^^^^^^^^^^^^^^^ This stream_enc_regs[] array has 5 elements so we are one element beyond the end of the array.
...
1287 return &enc1->base;
1288 }
v2: use explicit bounds check as suggested by Roman/Dan; avoid unsigned int cast
v3: The compiler already knows how to compare the two values, so the
cast (int) is not needed. (Roman)
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
2728e9c7c84235d2d7bc1403174d071ffc82d6d2 , < 29f3824b08a98d41ecbbfd33580630d7607f962e
(git)
Affected: 2728e9c7c84235d2d7bc1403174d071ffc82d6d2 , < 263e28add4f4472cfa95150d218955d1945aa413 (git) Affected: 2728e9c7c84235d2d7bc1403174d071ffc82d6d2 , < ca3808d560ad946ab6d089fd1f5bee04b952ead4 (git) Affected: 2728e9c7c84235d2d7bc1403174d071ffc82d6d2 , < abde491143e4e12eecc41337910aace4e8d59603 (git) |
|
| Linux | Linux |
Affected:
6.9
Unaffected: 0 , < 6.9 (semver) Unaffected: 6.12.75 , ≤ 6.12.* (semver) Unaffected: 6.18.14 , ≤ 6.18.* (semver) Unaffected: 6.19.4 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/dc/resource/dcn315/dcn315_resource.c",
"drivers/gpu/drm/amd/display/dc/resource/dcn316/dcn316_resource.c",
"drivers/gpu/drm/amd/display/dc/resource/dcn32/dcn32_resource.c",
"drivers/gpu/drm/amd/display/dc/resource/dcn321/dcn321_resource.c",
"drivers/gpu/drm/amd/display/dc/resource/dcn35/dcn35_resource.c",
"drivers/gpu/drm/amd/display/dc/resource/dcn351/dcn351_resource.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "29f3824b08a98d41ecbbfd33580630d7607f962e",
"status": "affected",
"version": "2728e9c7c84235d2d7bc1403174d071ffc82d6d2",
"versionType": "git"
},
{
"lessThan": "263e28add4f4472cfa95150d218955d1945aa413",
"status": "affected",
"version": "2728e9c7c84235d2d7bc1403174d071ffc82d6d2",
"versionType": "git"
},
{
"lessThan": "ca3808d560ad946ab6d089fd1f5bee04b952ead4",
"status": "affected",
"version": "2728e9c7c84235d2d7bc1403174d071ffc82d6d2",
"versionType": "git"
},
{
"lessThan": "abde491143e4e12eecc41337910aace4e8d59603",
"status": "affected",
"version": "2728e9c7c84235d2d7bc1403174d071ffc82d6d2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/dc/resource/dcn315/dcn315_resource.c",
"drivers/gpu/drm/amd/display/dc/resource/dcn316/dcn316_resource.c",
"drivers/gpu/drm/amd/display/dc/resource/dcn32/dcn32_resource.c",
"drivers/gpu/drm/amd/display/dc/resource/dcn321/dcn321_resource.c",
"drivers/gpu/drm/amd/display/dc/resource/dcn35/dcn35_resource.c",
"drivers/gpu/drm/amd/display/dc/resource/dcn351/dcn351_resource.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.9"
},
{
"lessThan": "6.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.14",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.4",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix out-of-bounds stream encoder index v3\n\neng_id can be negative and that stream_enc_regs[]\ncan be indexed out of bounds.\n\neng_id is used directly as an index into stream_enc_regs[], which has\nonly 5 entries. When eng_id is 5 (ENGINE_ID_DIGF) or negative, this can\naccess memory past the end of the array.\n\nAdd a bounds check using ARRAY_SIZE() before using eng_id as an index.\nThe unsigned cast also rejects negative values.\n\nThis avoids out-of-bounds access.\n\nFixes the below smatch error:\ndcn*_resource.c: stream_encoder_create() may index\nstream_enc_regs[eng_id] out of bounds (size 5).\n\ndrivers/gpu/drm/amd/amdgpu/../display/dc/resource/dcn351/dcn351_resource.c\n 1246 static struct stream_encoder *dcn35_stream_encoder_create(\n 1247 enum engine_id eng_id,\n 1248 struct dc_context *ctx)\n 1249 {\n\n ...\n\n 1255\n 1256 /* Mapping of VPG, AFMT, DME register blocks to DIO block instance */\n 1257 if (eng_id \u003c= ENGINE_ID_DIGF) {\n\nENGINE_ID_DIGF is 5. should \u003c= be \u003c?\n\nUnrelated but, ugh, why is Smatch saying that \"eng_id\" can be negative?\nend_id is type signed long, but there are checks in the caller which prevent it from being negative.\n\n 1258 vpg_inst = eng_id;\n 1259 afmt_inst = eng_id;\n 1260 } else\n 1261 return NULL;\n 1262\n\n ...\n\n 1281\n 1282 dcn35_dio_stream_encoder_construct(enc1, ctx, ctx-\u003edc_bios,\n 1283 eng_id, vpg, afmt,\n--\u003e 1284 \u0026stream_enc_regs[eng_id],\n ^^^^^^^^^^^^^^^^^^^^^^^ This stream_enc_regs[] array has 5 elements so we are one element beyond the end of the array.\n\n ...\n\n 1287 return \u0026enc1-\u003ebase;\n 1288 }\n\nv2: use explicit bounds check as suggested by Roman/Dan; avoid unsigned int cast\n\nv3: The compiler already knows how to compare the two values, so the\n cast (int) is not needed. (Roman)"
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T15:50:02.572Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/29f3824b08a98d41ecbbfd33580630d7607f962e"
},
{
"url": "https://git.kernel.org/stable/c/263e28add4f4472cfa95150d218955d1945aa413"
},
{
"url": "https://git.kernel.org/stable/c/ca3808d560ad946ab6d089fd1f5bee04b952ead4"
},
{
"url": "https://git.kernel.org/stable/c/abde491143e4e12eecc41337910aace4e8d59603"
}
],
"title": "drm/amd/display: Fix out-of-bounds stream encoder index v3",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46263",
"datePublished": "2026-06-03T15:50:02.572Z",
"dateReserved": "2026-05-13T15:03:33.108Z",
"dateUpdated": "2026-06-03T15:50:02.572Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2026-46263\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-06-03T18:16:27.743\",\"lastModified\":\"2026-06-03T18:16:27.743\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: Fix out-of-bounds stream encoder index v3\\n\\neng_id can be negative and that stream_enc_regs[]\\ncan be indexed out of bounds.\\n\\neng_id is used directly as an index into stream_enc_regs[], which has\\nonly 5 entries. When eng_id is 5 (ENGINE_ID_DIGF) or negative, this can\\naccess memory past the end of the array.\\n\\nAdd a bounds check using ARRAY_SIZE() before using eng_id as an index.\\nThe unsigned cast also rejects negative values.\\n\\nThis avoids out-of-bounds access.\\n\\nFixes the below smatch error:\\ndcn*_resource.c: stream_encoder_create() may index\\nstream_enc_regs[eng_id] out of bounds (size 5).\\n\\ndrivers/gpu/drm/amd/amdgpu/../display/dc/resource/dcn351/dcn351_resource.c\\n 1246 static struct stream_encoder *dcn35_stream_encoder_create(\\n 1247 enum engine_id eng_id,\\n 1248 struct dc_context *ctx)\\n 1249 {\\n\\n ...\\n\\n 1255\\n 1256 /* Mapping of VPG, AFMT, DME register blocks to DIO block instance */\\n 1257 if (eng_id \u003c= ENGINE_ID_DIGF) {\\n\\nENGINE_ID_DIGF is 5. should \u003c= be \u003c?\\n\\nUnrelated but, ugh, why is Smatch saying that \\\"eng_id\\\" can be negative?\\nend_id is type signed long, but there are checks in the caller which prevent it from being negative.\\n\\n 1258 vpg_inst = eng_id;\\n 1259 afmt_inst = eng_id;\\n 1260 } else\\n 1261 return NULL;\\n 1262\\n\\n ...\\n\\n 1281\\n 1282 dcn35_dio_stream_encoder_construct(enc1, ctx, ctx-\u003edc_bios,\\n 1283 eng_id, vpg, afmt,\\n--\u003e 1284 \u0026stream_enc_regs[eng_id],\\n ^^^^^^^^^^^^^^^^^^^^^^^ This stream_enc_regs[] array has 5 elements so we are one element beyond the end of the array.\\n\\n ...\\n\\n 1287 return \u0026enc1-\u003ebase;\\n 1288 }\\n\\nv2: use explicit bounds check as suggested by Roman/Dan; avoid unsigned int cast\\n\\nv3: The compiler already knows how to compare the two values, so the\\n cast (int) is not needed. (Roman)\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/263e28add4f4472cfa95150d218955d1945aa413\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/29f3824b08a98d41ecbbfd33580630d7607f962e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/abde491143e4e12eecc41337910aace4e8d59603\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ca3808d560ad946ab6d089fd1f5bee04b952ead4\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…