{"id":"CVE-2026-53138","summary":"drm/amd/display: Bound VBIOS record-chain walk loops","details":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Bound VBIOS record-chain walk loops\n\n[Why & How]\nAll record-chain walk loops in bios_parser.c and bios_parser2.c use\nfor(;;) and only terminate on a 0xFF record_type sentinel or zero\nrecord_size. A malformed VBIOS image missing the terminator record\ncauses unbounded iteration at probe time, potentially hundreds of\nthousands of iterations with record_size=1. In the final iterations\nnear the BIOS image boundary, struct casts beyond the 2-byte header\nvalidated by GET_IMAGE can also read out of bounds.\n\nCap all 14 record-chain walk loops to BIOS_MAX_NUM_RECORD (256)\niterations. The atombios.h defines up to 22 distinct record types\nand atomfirmware.h has 13. Assuming an average of less than 10\nrecords per type (which is reasonable since most are connector-\nbased) 256 is a generous upper bound.\n\n(cherry picked from commit 95700a3d660287ed657d6892f7be9ffc0e294a93)","modified":"2026-07-09T18:30:19.671736189Z","published":"2026-06-25T08:38:26.859Z","related":["CGA-2h4m-p49f-cc4c","SUSE-SU-2026:22521-1","SUSE-SU-2026:22522-1","SUSE-SU-2026:2799-1","SUSE-SU-2026:2800-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53138.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/04e271a952b8863bbafc99bd51aca4c32bff0e0d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/0e56f460bddb397fa9a8e6faf7ae7eaa86953eb1"},{"type":"WEB","url":"https://git.kernel.org/stable/c/2645e3caf7e013189da9c6ff621d006cca5a538b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/499c6b43a79dd684bddbd18fe8b2235aa2764db4"},{"type":"WEB","url":"https://git.kernel.org/stable/c/6173cfea2f916e01c4f98e29cd654384a05e32a3"},{"type":"WEB","url":"https://git.kernel.org/stable/c/6723188c42ca3b34a9fce634d7a0ecc9ccd5cd56"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e94f5323c41f32a74160378c3b19850d1f203ad5"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ff287df16a1a58aca78b08d1f3ee09fc44da0351"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53138.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-53138"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c"},{"fixed":"e94f5323c41f32a74160378c3b19850d1f203ad5"},{"fixed":"04e271a952b8863bbafc99bd51aca4c32bff0e0d"},{"fixed":"6723188c42ca3b34a9fce634d7a0ecc9ccd5cd56"},{"fixed":"499c6b43a79dd684bddbd18fe8b2235aa2764db4"},{"fixed":"6173cfea2f916e01c4f98e29cd654384a05e32a3"},{"fixed":"0e56f460bddb397fa9a8e6faf7ae7eaa86953eb1"},{"fixed":"2645e3caf7e013189da9c6ff621d006cca5a538b"},{"fixed":"ff287df16a1a58aca78b08d1f3ee09fc44da0351"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53138.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"4.15.0"},{"fixed":"5.10.260"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.211"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.177"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.144"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.94"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.36"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"7.0.13"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53138.json"}}],"schema_version":"1.7.5"}