CVE-2026-53330 Overview
CVE-2026-53330 is an out-of-bounds read vulnerability in the Linux kernel's AMD Display driver (drm/amd/display). The flaw resides in the dp_get_eq_aux_rd_interval() function, which handles DisplayPort (DP) Link Training Tunable PHY Repeaters (LTTPR). The aux_rd_interval array in struct dc_lttpr_caps is sized with MAX_REPEATER_CNT - 1 (7) elements. When a downstream sink reports 8 LTTPR repeaters via DisplayPort Configuration Data (DPCD), the offset parameter can reach MAX_REPEATER_CNT (8), causing a read past the array boundary at index 7.
Critical Impact
A crafted or non-compliant DisplayPort sink reporting the maximum permitted LTTPR count triggers a kernel out-of-bounds read, potentially disclosing adjacent kernel memory or destabilizing the display subsystem.
Affected Products
- Linux kernel with AMD Display (amdgpu) driver enabled
- Systems using DisplayPort links with LTTPR repeater chains
- Distributions shipping the affected drm/amd/display code prior to the fixing commits
Discovery Timeline
- 2026-07-01 - CVE-2026-53330 published to NVD
- 2026-07-01 - Last updated in NVD database
Technical Details for CVE-2026-53330
Vulnerability Analysis
The vulnerability [CWE-125] originates in the AMD Display driver's DisplayPort link training logic. The dc_lttpr_caps structure defines aux_rd_interval as an array with MAX_REPEATER_CNT - 1 entries, providing valid indices 0 through 6. The DisplayPort specification allows a sink to report up to 8 LTTPRs (MAX_REPEATER_CNT) via DPCD registers.
When the driver processes a topology reporting 8 repeaters, dp_get_eq_aux_rd_interval() receives an offset value of 8. The function then accesses aux_rd_interval[offset - 1], which resolves to aux_rd_interval[7], reading one element past the allocated storage. This adjacent memory read occurs within kernel context during display link training.
Root Cause
The root cause is a size mismatch between the specification-defined maximum repeater count and the array dimension declared in the kernel structure. The developers sized the array using MAX_REPEATER_CNT - 1 under the assumption that only non-terminal repeaters required storage, but the offset math used by the AUX read-interval helper indexes across the full valid range up to MAX_REPEATER_CNT.
Attack Vector
Triggering the flaw requires a DisplayPort sink device or intermediate repeater chain that advertises 8 LTTPRs through DPCD. An attacker with physical access, or control over a malicious or non-compliant display peripheral, can force the vulnerable code path during link training. The out-of-bounds read occurs in kernel memory, with potential consequences including kernel memory disclosure through subsequent side effects, KASAN reports on hardened builds, or display subsystem instability.
The fix, applied via commits 454d3b3d499c, dc1490927d79, and e8b4d37eba05, grows aux_rd_interval to MAX_REPEATER_CNT elements so the full valid offset range fits within the array bounds.
Detection Methods for CVE-2026-53330
Indicators of Compromise
- KASAN or KFENCE reports naming dp_get_eq_aux_rd_interval or dc_lttpr_caps in kernel logs
- Unexpected amdgpu driver warnings or oops entries during DisplayPort hotplug or link training events
- dmesg entries showing DisplayPort link training failures on systems using LTTPR-enabled monitors or docks
Detection Strategies
- Enumerate running kernel versions across the fleet and compare against the fixing commit hashes in stable trees
- Monitor kernel ring buffer output for slab-out-of-bounds diagnostics referencing AMD display code paths
- Audit systems using DisplayPort docking stations, KVMs, or signal extenders, which commonly introduce LTTPR chains
Monitoring Recommendations
- Forward kernel logs to a centralized logging platform and alert on amdgpu fault signatures
- Track kernel package versions via configuration management and flag hosts running pre-patch builds
- Correlate display-related kernel warnings with USB or DisplayPort device connection events for peripheral-driven triggers
How to Mitigate CVE-2026-53330
Immediate Actions Required
- Apply the latest stable Linux kernel update from your distribution that includes the fixing commits
- Prioritize patching workstations, laptops, and kiosks that connect external DisplayPort peripherals or docking stations
- On hardened systems, enable KASAN in test environments to validate that the patched code no longer triggers out-of-bounds reports
Patch Information
The fix is available in the Linux stable tree via three commits: Linux Kernel Commit 454d3b3, Linux Kernel Commit dc14909, and Linux Kernel Commit e8b4d37. The patch resizes aux_rd_interval to MAX_REPEATER_CNT elements, aligning storage with the DisplayPort specification's maximum valid repeater count.
Workarounds
- Avoid connecting untrusted DisplayPort peripherals, docks, or signal repeaters until patched kernels are deployed
- Disable the amdgpu driver on systems that do not require AMD display output, using an alternate driver or headless configuration
- Restrict physical access to systems where users could attach malicious DisplayPort devices
# Verify installed kernel version and check for the patched build
uname -r
# Debian/Ubuntu: update to the latest kernel package
sudo apt update && sudo apt install --only-upgrade linux-image-generic
# RHEL/Fedora: update kernel via dnf
sudo dnf update kernel
# Reboot to activate the patched kernel
sudo systemctl reboot
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

