In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Clamp HDMI HDCP2 rxidlist read to buffer size
[Why & How] During HDCP 2.x repeater authentication over HDMI, the driver reads the sink's RxStatus register and extracts a 10-bit message size field (max value 1023). This value is used as the read length for the ReceiverID list without being clamped to the size of the destination buffer rxidlist[177]. A malicious HDMI repeater could advertise a message size larger than the buffer, causing an out-of-bounds write during the I2C read.
Clamp the read length in modhdcpreadrxidlist() to the size of the rxid_list buffer, matching the approach already used in the DP branch.
(cherry picked from commit 229212219e4247d9486f8ba41ef087358490be09)
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53137.json",
"cna_assigner": "Linux"
}