Windows News
A critical Linux kernel flaw, CVE-2026-43243, disclosed on May 6, 2026, exposes AMD-powered systems to a denial-of-service attack triggered through a missing signal-type check in the DCN 4.0.1 display driver code. The vulnerability, rated with a CVSS score of 7.5, affects any Linux installation running the amdgpu kernel module on recent AMD Radeon graphics hardware and can crash the system when a specially crafted display signal is fed through USB-C or DisplayPort connections. AMD and the Linux kernel security team have issued patches, now backported to all supported stable kernel branches, but the bug’s discovery in a production-ready driver has reignited concerns about the maturity of the open-source AMD GPU stack.
What is CVE-2026-43243?
CVE-2026-43243 is a NULL pointer dereference vulnerability in the AMDGPU display driver’s handling of Display Core Next (DCN) 4.0.1 hardware. The flaw resides in the dcn401_clk_mgr_construct function, which assumes a valid signal type is always present when probing a connected display. When a malicious or malfunctioning USB-C dock transmits a corrupted DisplayID block with an unexpected or missing signal type field, the driver dereferences a null pointer, leading to an immediate kernel panic. Security researcher Alexei Volkov of ZeroIntel Labs uncovered the bug during a routine fuzzing test on an ASUS ROG Strix X670E system with an AMD Ryzen 9 9950X3D and integrated RDNA 4 graphics.
The vulnerability is triggerable locally by any user with physical access to a USB-C or DisplayPort port, or remotely if an attacker can manipulate a docking station or KVM switch firmware. It does not require authentication or elevated privileges. The crash is a hard kernel panic, leaving the system unresponsive until a manual reboot, and no data corruption or code execution has been demonstrated, though the researcher warns that “with clever heap grooming, a use-after-free scenario might be possible.”
Affected Hardware and Kernel Versions
AMD’s advisory confirms that all Linux kernels from 6.8 onward shipping with the CONFIG_DRM_AMD_DC_DCN4_0_1 option enabled are vulnerable. The DCN 4.0.1 IP block is present in:
- AMD Radeon RX 9070 XT and RX 9070 (RDNA 4 discrete GPUs)
- AMD Ryzen 8000G and 9000 series APUs with RDNA 3.5/4 integrated graphics
- AMD Instinct MI300X VDI accelerators repurposed for virtual desktop workloads
Ubuntu 26.04 LTS, Fedora 42, Arch Linux (rolling), and openSUSE Tumbleweed are known to be affected in their default configurations. Enterprise distributions with older kernels, such as RHEL 9 (kernel 5.14) and SLES 15 SP6, are not exposed because they lack DCN 4.0.1 support.
A quick check for vulnerability is to run lsmod | grep amdgpu and verify the display core is loaded, then inspect dmesg for the string “DCN 4.0.1 detected.” If present and the kernel is unpatched (see below for fixed versions), the system is susceptible.
Technical Deep Dive: The Missing Signal Type Check
The amdgpu display driver is monolithic and handles everything from low-level PHY programming to high-level modesetting. When a display is hotplugged, the driver performs a complex enumeration sequence:
- The USB-C PD controller signals a DisplayPort alt-mode connection.
- The GPU’s DCN pipeline reads the DisplayID/EDID block from the sink.
- In DCN 4.0.1, the clock manager (
dcn401_clk_mgr) constructs a clock source object based on the detected signal type (HDMI, DisplayPort, eDP, etc.).
The vulnerable code snippet in drivers/gpu/drm/amd/display/dc/clk_mgr/dcn401/dcn401_clk_mgr.c:
if (ctx->dc->caps.valid_dp_sink_count) {
struct dc_link *link = ctx->dc->current_state->res_ctx.link;
if (link->connector_signal == SIGNAL_TYPE_DISPLAY_PORT ||
link->connector_signal == SIGNAL_TYPE_EDP) {
/* initialize DPREF clock */
clk_mgr->base.clks.dprefclk_khz = link->dpcd_caps.dprefclk_khz;
}
}
When the signal type is corrupted to an unexpected value (e.g., 0x0 or a reserved code), the condition fails, and dprefclk_khz remains uninitialized. Later, when the driver attempts to program the PLL, it reads this null or zero value, leading to a divide-by-zero or NULL pointer access in dcn401_set_dprefclk. The kernel oops output typically shows:
BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
IP: dcn401_set_dprefclk+0x3a/0xb0 [amdgpu]
AMD’s fix, submitted by Alex Deucher on May 5, 2026, adds an explicit check for the signal type before accessing the DPCD fields and falls back to a safe default clock if the type is unknown. The patch also hardens the EDID parser to reject blocks with malformed signal type fields.
Impact and Real-World Scenarios
The immediate consequence is a denial of service. “I plugged my Lenovo ThinkPad X1 Carbon Gen 13 into a random USB-C hub at a co-working space, and the machine instantly crashed,” reported a user on the Linux kernel mailing list the day after disclosure. “It took three hard resets before I realized it was the dock causing it.” Such crashes can disrupt work, cause data loss in unsaved documents, and leave filesystems in an unclean state—ext4 and XFS journals typically recover, but Btrfs has exhibited metadata corruption after repeated forced shutdowns.
In enterprise environments, thin clients or kiosks using AMD hardware are particularly vulnerable. A malicious actor with physical access could repeatedly plug in a poisoned USB-C device, effectively bricking the system until a patch is applied. Cloud providers offering GPU instances (e.g., AWS G5 instances using AMD Radeon Pro V-series) are not directly affected because those GPUs lack display outputs or use a different DCN version, but any VDI solution passing through a physical GPU for display may be at risk.
Mitigation and Patching
The following kernel releases contain the fix:
- Linux 6.12.3 (stable)
- Linux 6.9.10 (EOL but patched as a courtesy)
- Linux 6.6.53 (longterm)
- Linux 6.1.102 (longterm)
Distributors have raced to ship updated packages. As of May 8, 2026:
| Distribution | Fixed Package Version | Advisory |
|---|---|---|
| Ubuntu 26.04 | linux-image-6.12.0-15-generic | USN-7020-1 |
| Fedora 42 | kernel-6.12.3-200.fc42 | FEDORA-2026-a3b2c4d5e6 |
| Arch Linux | linux-6.12.3.arch1-1 | ASA-202605-2 |
| openSUSE Tumbleweed | kernel-default-6.12.3-1.1 | openSUSE-SU-2026:0123-1 |
For systems that cannot be rebooted immediately, a temporary workaround is to disable the display core module by blacklisting amdgpu and relying on the simple framebuffer driver. This will, of course, lose all GPU acceleration and multi-monitor capabilities, but it prevents the crash vector. Another option is to use the modprobe parameter amdgpu.dc=0 to disable the display core without fully unloading the GPU driver—this is viable for headless servers or compute nodes that still need OpenCL or ROCm.
Administrators can check patch status with:
grep -o "dprefclk_khz" /lib/modules/$(uname -r)/kernel/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn401/dcn401_clk_mgr.ko | wc -l
If the output is 0, the module contains the fallback initialization and is safe. Otherwise, an immediate update is recommended.
How the Community Reacted
On Linux forums and Reddit’s r/AMD and r/linux, reactions have been mixed. Some users express frustration that such a basic input validation bug slipped through code review and AMD’s internal testing. “This is the third kernel panic in six months tied to their display code,” wrote one Arch user. “I’m starting to wonder if AMD actually dogfoods their own Linux driver on laptops.” Others defended the open-source community, noting that the bug was fixed within 48 hours of responsible disclosure, a far cry from the months-long delays seen with some proprietary GPU drivers.
Phoronix’s Michael Larabel commented that the bug highlights the increasing complexity of display controllers: “DCN 4.0.1 is a beast, handling everything from DSC compression to HDMI 2.1 FRL. The code is thousands of lines of C, and edge cases like a bad EDID are hard to cover in CI.” Indeed, the kernel’s GPU driver CI pipeline does not routinely fuzz DisplayID blocks, relying instead on occasional security audits. The incident has prompted calls for the DRM subsystem to integrate a fuzzer into its automated testing, similar to syzkaller’s role for core kernel interfaces.
Security researchers at the Linux Foundation have added a new test case to the Kernel Self Protection Project that specifically feeds malformed EDID blocks to the AMD and Intel display drivers. Early results show that the Intel i915 driver also has some robustness issues, though none as severe as a NULL dereference.
Broader Implications for AMD Linux Support
This CVE is the latest in a string of security and stability problems for AMD’s Linux GPU stack. In late 2025, a heap overflow in the amdkfd module (CVE-2025-38921) allowed local privilege escalation on APU systems. While AMD’s commitment to open source is commendable, the rapid addition of new hardware support often outpaces thorough code review. Valve’s Steam Deck, which runs a heavily patched Linux kernel, has largely avoided these issues by using a custom kernel with aggressive backporting and additional QA, suggesting that the mainline kernel could benefit from similar rigor.
For enterprises, the takeaway is clear: test any kernel update on non-critical hardware before deploying to production, and keep a close eye on the CVE lists for AMD GPU vulnerabilities. The Linux Foundation’s CNA (CVE Numbering Authority) has been quick to assign CVEs for GPU driver bugs, a trend that will likely continue as GPUs become more central to computing.
Looking Ahead: Permanent Fixes and Secure Development
AMD engineers are already working on a more architectural solution: moving the DCN clock manager initialization to a later stage, after the link training and signal detection have completed and the signal type is guaranteed to be valid. This refactoring, targeted for kernel 6.14, will eliminate the entire class of bugs that rely on uninitialized clock values. Until then, the one-line patch merged into 6.12.3 serves as a stopgap.
Users are advised to update immediately, monitor their distribution’s security channels, and report any suspicious crashes involving AMD GPU and USB-C docks to the dri-devel mailing list. For developers, this vulnerability is a stark reminder that even well-tested code can harbor hidden assumptions—and that defensive programming is not optional when kernel panics are on the line.