CVE-2026-43243

Vulnerability

CVE-2026-43243 is a vulnerability in the Linux kernel's AMD display driver (drm/amd/display) for the dcn401 hardware variant. The function get_phyd32clk_src lacks a signal type check before accessing the link encoder; attempting to access the link encoder on a DPIA (DisplayPort alternate mode / USB-C) link triggers a NULL pointer dereference or other memory safety fault, leading to a system crash [1][2].

Exploitation

An attacker with local access or the ability to trigger display mode changes on a system with an AMD GPU using dcn401 can exploit this flaw. The crash occurs when the driver attempts to retrieve the PHY clock source for a DPIA link without verifying that the link is not a DPIA type. No special privileges beyond the ability to change display configurations are required, though physical or console access is typically necessary to initiate such operations [3][4].

Impact

The primary impact is a denial of service (kernel crash), as the missing check causes an invalid memory access when processing DPIA links. This could be leveraged to cause system instability or render the system unusable until a reboot. The CVSS v3 base score of 5.5 (Medium) reflects the local attack vector and availability impact.

Mitigation

The vulnerability has been patched in the Linux kernel stable tree. Fixes are included in commits identified in the references [1][2][3][4]. Users are advised to update their kernel to a version containing these fixes. No workaround is available other than avoiding the use of DPIA links on affected hardware.