MEDIUM 5.5

CVE-2026-46245: Linux AMD Display Driver Null Pointer Dereference DoS Vulnerability

A flaw in the Linux kernel's AMD display driver (amdgpu) can cause a system crash when the driver attempts to initialize Hot Plug Detect (HPD) interrupts for video connectors. The problem occurs because the code checks whether a connector's data structure (dc_link) is valid in one place, but then later uses it without checking again, leading to a null pointer dereference. This vulnerability affects systems with AMD GPUs running vulnerable kernel versions and can be triggered by a local user, resulting in a denial of service.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-476
Affected products
1 configuration(s)
Published / Modified
2026-06-03 / 2026-06-17

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix dc_link NULL handling in HPD init amdgpu_dm_hpd_init() may see connectors without a valid dc_link. The code already checks dc_link for the polling decision, but later unconditionally dereferences it when setting up HPD interrupts. Assign dc_link early and skip connectors where it is NULL. Fixes the below: drivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm_irq.c:940 amdgpu_dm_hpd_init() error: we previously assumed 'dc_link' could be null (see line 931) drivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm_irq.c 923 /* 924 * Analog connectors may be hot-plugged unlike other connector 925 * types that don't support HPD. Only poll analog connectors. 926 */ 927 use_polling |= 928 amdgpu_dm_connector->dc_link && ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The patch adds this NULL check but hopefully it can be removed 929 dc_connector_supports_analog(amdgpu_dm_connector->dc_link->link_id.id); 930 931 dc_link = amdgpu_dm_connector->dc_link; dc_link assigned here. 932 933 /* 934 * Get a base driver irq reference for hpd ints for the lifetime 935 * of dm. Note that only hpd interrupt types are registered with 936 * base driver; hpd_rx types aren't. IOW, amdgpu_irq_get/put on 937 * hpd_rx isn't available. DM currently controls hpd_rx 938 * explicitly with dc_interrupt_set() 939 */ --> 940 if (dc_link->irq_source_hpd != DC_IRQ_SOURCE_INVALID) { ^^^^^^^^^^^^^^^^^^^^^^^ If it's NULL then we are trouble because we dereference it here. 941 irq_type = dc_link->irq_source_hpd - DC_IRQ_SOURCE_HPD1; 942 /* 943 * TODO: There's a mismatch between mode_info.num_hpd 944 * and what bios reports as the # of connectors with hpd

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-46245 is a null pointer dereference in drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_irq.c within the amdgpu_dm_hpd_init() function. The function iterates through display connectors and checks whether amdgpu_dm_connector->dc_link is valid before deciding whether to enable polling for analog connectors. However, the code later unconditionally dereferences dc_link when accessing its irq_source_hpd member without re-checking for null. A connector may have a null dc_link, triggering a kernel panic when the driver attempts HPD initialization. The fix involves assigning dc_link early and skipping connectors where it remains null, preventing the unsafe dereference.

Business impact

For organizations operating Linux systems with AMD GPUs, this vulnerability presents a denial of service risk. An unprivileged local user could trigger a kernel panic by exploiting the null pointer dereference during HPD initialization, causing system downtime. This is particularly relevant for desktop workstations, rendering farms, gaming systems, and data center nodes equipped with AMD graphics accelerators. The impact is elevated in headless or remote environments where system recovery may be delayed.

Affected systems

The Linux kernel versions containing this flaw specifically affect systems with AMD display drivers (amdgpu). The vulnerability is present in the DRM (Direct Rendering Manager) subsystem's AMD display code. Any Linux distribution running an affected kernel version with AMD GPU support enabled is potentially impacted. The precise range of affected versions should be verified against upstream Linux kernel release notes and your distribution's security advisories.

Exploitability

The vulnerability requires local access (AV:L) and standard user privileges (PR:L) to trigger. No user interaction is required (UI:N), and exploitation results in a kernel panic affecting the system under attack. The attack is straightforward—HPD initialization occurs during driver probe or connector enumeration, which may be triggered by device hotplug events, driver reloads, or system resume. This is not a remote vulnerability, but the low barrier to local exploitation means any unprivileged user on an affected system could cause a denial of service.

Remediation

Apply the patch that adds appropriate null checks for dc_link before dereference in the HPD initialization path. The fix involves assigning dc_link early and skipping connectors where dc_link is null, ensuring that irq_source_hpd is only accessed when the pointer is valid. Verify the patch version number in your distribution's security updates or upstream Linux kernel repositories. Alternatively, disable AMD GPU support in the kernel configuration if the GPU is not required, though this is typically not practical for affected systems.

Patch guidance

Monitor your Linux distribution's security advisories for a kernel update addressing CVE-2026-46245. This will typically be released as part of a kernel security patch series. Apply the update through your standard package management system (apt, yum, dnf, zypper, etc.). After applying the patch, reboot the system to activate the fixed kernel. For systems unable to reboot immediately, schedule maintenance during a low-impact window. Verify that HPD functionality still operates correctly post-patch.

Detection guidance

Monitor kernel logs for null pointer dereference panics originating from amdgpu_dm_irq.c or the amdgpu_dm_hpd_init() function. Use tools like journalctl on systemd systems or dmesg to review kernel messages. Look for stack traces mentioning amdgpu_dm or display-related code. Additionally, monitor systems for unexpected reboots or system hangs during GPU initialization or connector enumeration. Track kernel versions in use via uname -r and cross-reference against patched versions from your vendor.

Why prioritize this

Although the CVSS score is moderate (5.5), prioritization should be based on your environment's GPU utilization. Systems with AMD GPUs require prompt patching due to the local denial of service risk and ease of exploitation. For organizations without AMD GPUs, this vulnerability has lower priority. Desktop and workstation environments should treat this as higher priority than server environments without GPUs. The lack of KEV status indicates this has not yet been exploited in the wild, but the straightforward nature of the flaw warrants timely remediation.

Risk score, explained

The CVSS v3.1 score of 5.5 (MEDIUM) reflects a local attack vector with low privileges required and high impact on availability (kernel panic). The vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H correctly indicates that this is a local denial of service with no confidentiality or integrity impact. The score does not account for environmental factors such as the prevalence of AMD GPUs in your infrastructure or the criticality of affected systems. Consider raising priority if AMD GPU systems are critical to operations.

Frequently asked questions

Is this vulnerability exploitable remotely?

No. CVE-2026-46245 requires local access to the system (AV:L). An attacker would need to authenticate as a user on the affected machine or gain local shell access. Remote exploitation is not possible.

Can this be exploited to gain elevated privileges or read sensitive data?

No. The vulnerability results only in a denial of service (kernel panic). It does not permit privilege escalation, memory disclosure, or arbitrary code execution. The impact vector shows C:N/I:N/A:H, meaning no confidentiality or integrity compromise.

Does this affect all Linux systems or only those with AMD GPUs?

This affects only systems with AMD display drivers enabled in the kernel and AMD GPUs present. Systems without AMD GPUs, or with AMD GPU support disabled in the kernel configuration, are not vulnerable.

How quickly should we patch this?

Patch according to your standard maintenance cycle, but prioritize systems with AMD GPUs and those that are difficult to reboot. Since no active exploitation has been reported (KEV status is false), a 30-90 day window is reasonable for most organizations, though critical rendering or workstation environments should prioritize sooner.

This analysis is based on the vulnerability description and publicly available information as of the publication date. Patch version numbers and specific affected kernel versions should be verified against official Linux distribution and upstream kernel security advisories. This vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog. Organizations should test patches in non-production environments before broad deployment. This analysis does not constitute legal or technical advice; consult with your organization's security team and system administrators for implementation decisions. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).