CVE-2026-46263 Overview
CVE-2026-46263 is an out-of-bounds array access vulnerability in the Linux kernel's AMD GPU display driver (drm/amd/display). The flaw resides in the dcn35_stream_encoder_create() function within dcn351_resource.c, where the eng_id parameter is used directly as an index into the stream_enc_regs[] array without proper bounds validation. The array contains only five entries, but eng_id can reach ENGINE_ID_DIGF (value 5) or be negative, allowing reads past the array boundary.
Critical Impact
Triggering the vulnerable code path can cause out-of-bounds memory access in kernel space, leading to memory corruption or denial of service on systems using AMD DCN3.5 display hardware.
Affected Products
- Linux kernel versions containing the drm/amd/display DCN3.5 resource code prior to the fix
- AMD GPU display driver component (dcn351_resource.c)
- Distributions shipping affected Linux kernel builds with AMD DCN3.5 hardware support
Discovery Timeline
- 2026-06-03 - CVE-2026-46263 published to NVD
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-46263
Vulnerability Analysis
The vulnerability exists in the AMD Display Core Next (DCN) 3.5 stream encoder creation path. The function dcn35_stream_encoder_create() accepts an enum engine_id eng_id parameter and uses it directly to index stream_enc_regs[], which is sized for five elements. The guard condition if (eng_id <= ENGINE_ID_DIGF) permits values up to and including 5, but valid indices range from 0 to 4. When eng_id equals ENGINE_ID_DIGF (5), the access &stream_enc_regs[eng_id] reads one element beyond the array.
Static analysis by Smatch also flagged that eng_id, declared as a signed type, could theoretically be negative, which would produce an even more severe out-of-bounds read. This issue falls under [CWE-125] Out-of-Bounds Read and [CWE-129] Improper Validation of Array Index.
Root Cause
The root cause is an off-by-one boundary check combined with insufficient validation of a signed index value. The original comparison used <= against ENGINE_ID_DIGF instead of < against ARRAY_SIZE(stream_enc_regs). The fix introduces an explicit bounds check using ARRAY_SIZE() to verify that eng_id is within the valid range before it is used as an array subscript.
Attack Vector
Exploitation requires triggering the AMD DCN3.5 stream encoder creation path with a crafted or unexpected eng_id value. This typically occurs during display pipeline initialization or mode-setting operations. A local attacker with the ability to influence display configuration parameters, or a malformed hardware configuration, could reach the vulnerable code. The result is kernel memory read past the intended buffer, which may cause kernel panics, undefined behavior, or information disclosure depending on adjacent memory contents.
No public proof-of-concept exploit is associated with this CVE. The issue was identified through static analysis (Smatch) rather than active exploitation.
Detection Methods for CVE-2026-46263
Indicators of Compromise
- Unexpected kernel oops or panic messages referencing dcn35_stream_encoder_create or stream_enc_regs in dmesg output
- KASAN (Kernel Address Sanitizer) reports flagging out-of-bounds access in drivers/gpu/drm/amd/display/dc/resource/dcn351/dcn351_resource.c
- Display subsystem crashes or GPU hangs on systems with AMD DCN3.5 hardware
Detection Strategies
- Enable KASAN in kernel test builds to catch out-of-bounds access at runtime during display initialization
- Audit running kernel versions against the patched commits referenced in the Linux stable tree
- Use static analysis tools such as Smatch on local kernel forks that backport AMD display driver changes
Monitoring Recommendations
- Monitor /var/log/kern.log and journalctl -k output for AMD GPU driver faults and DRM subsystem errors
- Track kernel package versions across endpoints and validate they include the upstream fix
- Correlate display initialization events with system stability metrics on AMD DCN3.5-equipped hardware
How to Mitigate CVE-2026-46263
Immediate Actions Required
- Apply the upstream Linux kernel patches that introduce the ARRAY_SIZE() bounds check in dcn35_stream_encoder_create()
- Update affected Linux distributions to a kernel build containing the fix once vendors release patched packages
- Inventory systems running AMD GPUs with DCN3.5 display hardware to prioritize remediation
Patch Information
The fix has been merged into the Linux stable tree across multiple branches. Refer to the following commits for the patch content and backport details:
- Kernel Git Commit 263e28a
- Kernel Git Commit 29f3824
- Kernel Git Commit abde491
- Kernel Git Commit ca3808d
The patch replaces the original eng_id <= ENGINE_ID_DIGF comparison with an explicit bounds check against ARRAY_SIZE(stream_enc_regs), ensuring the index is always within the array's valid range.
Workarounds
- No documented runtime workaround exists; the fix requires a kernel update
- On systems where patching is delayed, restrict access to display configuration interfaces and avoid loading untrusted kernel modules that interact with the AMD DRM subsystem
- Consider booting with alternative display drivers if AMD DCN3.5 hardware is not required for the workload
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
