CVE-2024-26700: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-26700 affects the Linux kernel's AMD display driver, specifically related to a NULL pointer dereference issue in the drm/amd/display component. The vulnerability was discovered in January 2024 and affects Linux kernel versions up to 6.1.82, 6.2 through 6.6.18, 6.7 through 6.7.6, and 6.8-rc1 through 6.8-rc3. The issue occurs specifically on RV (Raven) platform when handling DisplayPort MST configurations (NVD).

The vulnerability manifests as a NULL pointer dereference in the drmdpatomicfindtimeslots function when handling DisplayPort Multi-Stream Transport (MST) configurations. The issue occurs when a second DP monitor is connected, and the drmatomic_state in the display manager atomic check sequence does not include the connector state for the existing/first DP monitor. This leads to a null pointer dereference when the DSC (Display Stream Compression) determination policy attempts to iterate over the existing stream without a valid connector state (Kernel Patch). The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability can lead to a system crash (denial of service) when a user connects a second DisplayPort monitor to an affected system running the AMD display driver. This particularly affects systems using the RV (Raven) platform (Kernel Patch).

The issue has been fixed in the Linux kernel through a patch that skips DSC determination policy for ASICs that don't have DSC support. The fix involves checking if DSC encoding is supported before attempting to compute MST DSC configurations. Users should update to kernel versions 6.1.82, 6.6.18, or 6.7.6 or later that include the fix (Kernel Patch).