How is CVE-2026-46263 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network path to the vulnerable code is required. Authentication (required): Any low-privilege local account is sufficient to trigger the out-of-bounds access; no administrative rights are needed. Victim interaction (not-required): No action from another user or administrator is needed for the attacker to exploit this vulnerability. Attack complexity (info): The exploit is reliable and condition-free; no race conditions or special memory layout requirements are needed.

What is the impact of CVE-2026-46263?

An attacker reads arbitrary kernel memory, including stored credentials, session tokens, and other sensitive kernel-resident data. An attacker writes to out-of-bounds kernel memory, corrupting data structures or injecting malicious values into kernel state. An attacker crashes the affected system by corrupting critical kernel memory, causing a kernel panic and service disruption. All three impact dimensions are rated HIGH, meaning the attacker gains full control over the confidentiality, integrity, and availability of the host system.

Back to search

HIGHCVE-2026-46263Published 2026-06-03Modified 2026-06-05CNA Linux

CVE-2026-46263: drm/amd/display: Fix out-of-bounds stream encoder index v3

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix out-of-bounds stream encoder index v3 eng_id can be negative and that stream_enc_regs[] can be indexed out of bounds. eng_id is used directly as an index into stream_enc_regs[], which has only 5 entries. When eng_id is 5 (ENGINE_ID_DIGF) or negative, this can access memory past the end of the array. Add a bounds check using ARRAY_SIZE() before using eng_id as an index. The unsigned cast also rejects negative values. This avoids out-of-bounds access. Fixes the below smatch error: dcn*_resource.c: stream_encoder_create() may index stream_enc_regs[eng_id] out of bounds (size 5). drivers/gpu/drm/amd/amdgpu/../display/dc/resource/dcn351/dcn351_resource.c 1246 static struct stream_encoder *dcn35_stream_encoder_create( 1247 enum engine_id eng_id, 1248 struct dc_context *ctx) 1249 { ... 1255 1256 /* Mapping of VPG, AFMT, DME register blocks to DIO block instance */ 1257 if (eng_id <= ENGINE_ID_DIGF) { ENGINE_ID_DIGF is 5. should <= be <? Unrelated but, ugh, why is Smatch saying that "eng_id" can be negative? end_id is type signed long, but there are checks in the caller which prevent it from being negative. 1258 vpg_inst = eng_id; 1259 afmt_inst = eng_id; 1260 } else 1261 return NULL; 1262 ... 1281 1282 dcn35_dio_stream_encoder_construct(enc1, ctx, ctx->dc_bios, 1283 eng_id, vpg, afmt, --> 1284 &stream_enc_regs[eng_id], ^^^^^^^^^^^^^^^^^^^^^^^ This stream_enc_regs[] array has 5 elements so we are one element beyond the end of the array. ... 1287 return &enc1->base; 1288 } v2: use explicit bounds check as suggested by Roman/Dan; avoid unsigned int cast v3: The compiler already knows how to compare the two values, so the cast (int) is not needed. (Roman)

CVSS v3.1: 7.8
Severity: HIGH
Fixed in: 0
Affected Products: 2

HarborGuard Analysis

Synopsis

An out-of-bounds array access vulnerability exists in the Linux kernel's AMD Display (drm/amd/display) subsystem. The flaw is reachable locally by a low-privilege user, requiring no user interaction, and the CVSS vector indicates no network exposure. Successful exploitation gives an attacker full read, write, and crash capability over the affected system. Patched-image rebuilds at the fix versions (6.12.75, 6.18.14, and specific upstream commits) are available on HarborGuard for environments running an affected kernel version.

HarborGuard Coverage

Detection

Detection of CVE-2026-46263 is available across every HarborGuard environment. The CVE is ingested from upstream feeds within minutes of publication and matched against all customer container images, including custom-built images that bundle an affected Linux kernel version.

Available

Triage

Triage is available using the CVSS v3.1 score of 7.8 (HIGH), derived from the vector indicating local access, low-privilege requirements, and high confidentiality, integrity, and availability impact. Per-environment compliance policy weighting is applied automatically, and findings are routed to the appropriate team inbox within each customer organization.

Available

Patch

A patched-image rebuild at the fix versions (6.12.75, 6.18.14, and the listed upstream commits) is available on HarborGuard for environments running an affected kernel version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network path to the vulnerable code is required.
AuthenticationRequired
Any low-privilege local account is sufficient to trigger the out-of-bounds access; no administrative rights are needed.
Victim interactionNot required
No action from another user or administrator is needed for the attacker to exploit this vulnerability.
Attack complexityDetail
The exploit is reliable and condition-free; no race conditions or special memory layout requirements are needed.

Blast Radius

An attacker reads arbitrary kernel memory, including stored credentials, session tokens, and other sensitive kernel-resident data.
An attacker writes to out-of-bounds kernel memory, corrupting data structures or injecting malicious values into kernel state.
An attacker crashes the affected system by corrupting critical kernel memory, causing a kernel panic and service disruption.
All three impact dimensions are rated HIGH, meaning the attacker gains full control over the confidentiality, integrity, and availability of the host system.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of CVE publication against any customer image that bundles a Linux kernel version prior to 6.12.75 or 6.18.14, or that predates the listed upstream fix commits. Where compliance policy permits, HarborGuard makes a patched-image rebuild available immediately at the fixed kernel version; for customers with auto-remediation enabled, the rebuild is followed by a regression run and a pull request opened against affected workloads. Median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Because this is a local, low-privilege flaw in a kernel GPU driver subsystem, customers who cannot immediately rebuild should consider restricting unprivileged access to the affected host and auditing which workloads expose a shell to untrusted users, as compensating controls until the patched image is deployed.

See how HarborGuard automates this

Fix available

0263e28add4f4472cfa95150d218955d1945aa41329f3824b08a98d41ecbbfd33580630d7607f962e6.12.756.18.146.19.47.0abde491143e4e12eecc41337910aace4e8d59603ca3808d560ad946ab6d089fd1f5bee04b952ead4

Affected packages

Linux / Linux
< 29f3824b08a98d41ecbbfd33580630d7607f962e (from 2728e9c7c84235d2d7bc1403174d071ffc82d6d2) · < 263e28add4f4472cfa95150d218955d1945aa413 (from 2728e9c7c84235d2d7bc1403174d071ffc82d6d2) · < ca3808d560ad946ab6d089fd1f5bee04b952ead4 (from 2728e9c7c84235d2d7bc1403174d071ffc82d6d2) · < abde491143e4e12eecc41337910aace4e8d59603 (from 2728e9c7c84235d2d7bc1403174d071ffc82d6d2)
Linux / Linux
6.9
Fixed in 0, 6.12.75, 6.18.14, 6.19.4, 7.0

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available