CVE-2026-43337 Overview
CVE-2026-43337 is a NULL pointer dereference vulnerability in the Linux kernel's AMD Display Core Next (DCN) driver. The flaw resides in the dcn401_init_hw() function within drm/amd/display, where the code assumes the update_bw_bounding_box() callback is valid when entering the update path. The existing conditional check does not enforce this assumption because the freq_changed branch can evaluate to true independently of the callback pointer. A local attacker with low privileges can trigger the dereference, resulting in a kernel crash and denial of service [CWE-476].
Critical Impact
A local user can trigger a kernel NULL pointer dereference in the AMD display driver, causing a system-wide denial of service on affected Linux systems.
Affected Products
- Linux kernel 6.12
- Linux kernel 7.0 release candidates (rc1 through rc6)
- Systems using the drm/amd/display driver with DCN 4.01 hardware
Discovery Timeline
- 2026-05-08 - CVE-2026-43337 published to NVD
- 2026-05-15 - Last updated in NVD database
Technical Details for CVE-2026-43337
Vulnerability Analysis
The vulnerability exists in dcn401_init_hw() at drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c:367. The function evaluates the condition ((!fams2_enable && update_bw_bounding_box) || freq_changed) before invoking the update_bw_bounding_box() callback. Because the operator precedence allows the freq_changed branch to short-circuit to true, the code path executes even when the update_bw_bounding_box function pointer is NULL. The subsequent indirect call dereferences a NULL pointer in kernel context, triggering an oops and halting the affected CPU or the entire system depending on kernel configuration.
Root Cause
The root cause is a logic error in the conditional guarding an indirect function call. The check conflates two independent decisions: whether to perform the update and whether the callback is safe to invoke. The fix separates the update condition from the pointer validity check and explicitly validates dc->res_pool->funcs->update_bw_bounding_box, dc->clk_mgr, and bw_params before use. The patch was backported from upstream commit 86117c5ab42f21562fedb0a64bffea3ee5fcd477.
Attack Vector
Exploitation requires local access with low privileges on a system using AMD graphics hardware supported by the DCN 4.01 hardware sequencer. An attacker triggers the vulnerable code path by causing a display frequency change event under conditions where the update_bw_bounding_box callback pointer is NULL. The result is a kernel-level NULL pointer dereference. The vulnerability does not expose confidentiality or integrity, but high availability impact is achievable through repeated denial of service. No public proof-of-concept or in-the-wild exploitation has been reported.
No verified public exploit code is available. See the upstream patch references for technical details on the corrected control flow.
Detection Methods for CVE-2026-43337
Indicators of Compromise
- Kernel oops messages referencing dcn401_init_hw or update_bw_bounding_box in dmesg or /var/log/kern.log
- Unexpected display subsystem crashes or GPU resets correlated with display mode changes
- System reboots or hangs occurring during graphics initialization or frequency transitions
Detection Strategies
- Audit running kernel versions across the fleet and flag hosts running Linux 6.12 or 7.0-rc1 through 7.0-rc6 with AMD GPUs
- Monitor kernel logs for null pointer dereference panics in the amdgpu and drm subsystems
- Correlate user session activity with kernel crash events to identify potential local exploitation attempts
Monitoring Recommendations
- Forward kern.log and journalctl -k output to a centralized log platform for analysis of kernel panics
- Track package and kernel version inventory continuously to identify unpatched hosts
- Alert on repeated graphics driver failures from the same local user account, which may indicate exploitation attempts
How to Mitigate CVE-2026-43337
Immediate Actions Required
- Apply the upstream Linux kernel patches referenced by commits 10c13c111d0d, 2d4a6f0702c5, and e927b36ae18b from git.kernel.org
- Update to a distribution kernel that includes the backport of upstream commit 86117c5ab42f21562fedb0a64bffea3ee5fcd477
- Restrict local access to systems with affected AMD graphics hardware until patches are applied
Patch Information
The fix separates the update condition from the pointer validity check and ensures the callback, dc->clk_mgr, and bw_params are validated before use. Patches are available from the kernel stable tree at the Kernel Git Commit Update 1, Kernel Git Commit Update 2, and Kernel Git Commit Update 3.
Workarounds
- Limit local logon rights on affected hosts to trusted administrators only
- Avoid loading the amdgpu driver on systems that do not require display output, such as headless servers
- Apply distribution security updates as soon as vendor-backported fixes are released
# Verify the running kernel version and check for the fix
uname -r
apt list --installed 2>/dev/null | grep linux-image
# On RHEL/Fedora
rpm -q kernel
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
