Skip to main content

Linux Kernel amdgpu CVE-2025-71293

| EUVDEUVD-2025-209684 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-05-06 Linux GHSA-4x9q-vprp-3qvr
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 08, 2026 - 10:45 vuln.today
CVSS changed
May 13, 2026 - 21:07 NVD
5.5 (MEDIUM)
Patch available
May 06, 2026 - 13:02 EUVD
CVE Published
May 06, 2026 - 11:32 nvd
MEDIUM 5.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu/ras: Move ras data alloc before bad page check

In the rare event if eeprom has only invalid address entries, allocation is skipped, this causes following NULL pointer issue [ 547.103445] BUG: kernel NULL pointer dereference, address: 0000000000000010 [ 547.118897] #PF: supervisor read access in kernel mode [ 547.130292] #PF: error_code(0x0000) - not-present page [ 547.141689] PGD 124757067 P4D 0 [ 547.148842] Oops: 0000 [#1] PREEMPT SMP NOPTI [ 547.158504] CPU: 49 PID: 8167 Comm: cat Tainted: G OE 6.8.0-38-generic #38-Ubuntu [ 547.177998] Hardware name: Supermicro AS -8126GS-TNMR/H14DSG-OD, BIOS 1.7 09/12/2025 [ 547.195178] RIP: 0010:amdgpu_ras_sysfs_badpages_read+0x2f2/0x5d0 [amdgpu] [ 547.210375] Code: e8 63 78 82 c0 45 31 d2 45 3b 75 08 48 8b 45 a0 73 44 44 89 f1 48 8b 7d 88 48 89 ca 48 c1 e2 05 48 29 ca 49 8b 4d 00 48 01 d1 <48> 83 79 10 00 74 17 49 63 f2 48 8b 49 08 41 83 c2 01 48 8d 34 76 [ 547.252045] RSP: 0018:ffa0000067287ac0 EFLAGS: 00010246 [ 547.263636] RAX: ff11000167c28130 RBX: ff11000127600000 RCX: 0000000000000000 [ 547.279467] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ff11000125b1c800 [ 547.295298] RBP: ffa0000067287b50 R08: 0000000000000000 R09: 0000000000000000 [ 547.311129] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 547.326959] R13: ff11000217b1de00 R14: 0000000000000000 R15: 0000000000000092 [ 547.342790] FS: 0000746e59d14740(0000) GS:ff11017dfda80000(0000) knlGS:0000000000000000 [ 547.360744] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 547.373489] CR2: 0000000000000010 CR3: 000000019585e001 CR4: 0000000000f71ef0 [ 547.389321] PKRU: 55555554 [ 547.395316] Call Trace: [ 547.400737] <TASK> [ 547.405386] ? show_regs+0x6d/0x80 [ 547.412929] ? __die+0x24/0x80 [ 547.419697] ? page_fault_oops+0x99/0x1b0 [ 547.428588] ? do_user_addr_fault+0x2ee/0x6b0 [ 547.438249] ? exc_page_fault+0x83/0x1b0 [ 547.446949] ? asm_exc_page_fault+0x27/0x30 [ 547.456225] ? amdgpu_ras_sysfs_badpages_read+0x2f2/0x5d0 [amdgpu] [ 547.470040] ? mas_wr_modify+0xcd/0x140 [ 547.478548] sysfs_kf_bin_read+0x63/0xb0 [ 547.487248] kernfs_file_read_iter+0xa1/0x190 [ 547.496909] kernfs_fop_read_iter+0x25/0x40 [ 547.506182] vfs_read+0x255/0x390

This also result in space left assigned to negative values. Moving data alloc call before bad page check resolves both the issue.

AnalysisAI

NULL pointer dereference in the Linux kernel's amdgpu RAS (Reliability, Availability, and Serviceability) driver crashes the kernel when a local user reads the sysfs badpages interface on a system whose AMD GPU EEPROM contains only invalid address entries. The driver skips RAS data allocation under this condition, and the subsequent read of amdgpu_ras_sysfs_badpages_read dereferences the uninitialized pointer, producing a kernel panic and complete denial of service. No public exploit exists and no active exploitation has been identified; EPSS is 0.02% (4th percentile), reflecting very low real-world risk.

Technical ContextAI

The amdgpu driver's RAS subsystem tracks GPU hardware errors and bad memory pages, persisting this data in an EEPROM-backed store. The root cause is CWE-476 (NULL Pointer Dereference): in the edge case where EEPROM contains exclusively invalid address entries, the driver's amdgpu_ras_sysfs_badpages_read function reaches its page-iteration loop before the RAS data buffer has been allocated, because the allocation was gated after the bad-page validity check. The fix moves the allocation call to occur before that check, ensuring the buffer is always initialized before use. The full kernel oops trace in the description confirms the crash occurs at amdgpu_ras_sysfs_badpages_read+0x2f2/0x5d0 with a NULL dereference at address 0x10, consistent with accessing a member at a fixed offset of a NULL struct pointer. Affected CPE is cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*, spanning all kernel versions from the initial commit (1da177e4c3f41524e886b7f1b8a0c1fc7321cac2) up to the three fix commits in the 6.18, 6.19, and mainline stable trees.

RemediationAI

Apply the upstream stable kernel patches available at https://git.kernel.org/stable/c/0b7f78caeffa51a1afa521c284e863ec3b5a36df (6.18.x branch, fixed in 6.18.16), https://git.kernel.org/stable/c/bd68a1404b6fa2e7e9957b38ba22616faba43e75 (6.19.x branch, fixed in 6.19.6), or https://git.kernel.org/stable/c/5c685235b60459381e959109b416a63db4d8dbac (mainline, fixed in 7.0). Ubuntu, Red Hat, and SUSE users should await and apply distribution-specific kernel updates that backport these commits. As a compensating control, restricting read access to the amdgpu RAS sysfs interface (e.g., adjusting file permissions on the relevant sysfs badpages node) would prevent the crash without disabling GPU functionality, though it may interfere with GPU health monitoring tooling. Blacklisting the amdgpu kernel module (blacklist amdgpu in /etc/modprobe.d/) eliminates the attack surface entirely but disables all AMD GPU functionality - this is appropriate only for systems where the GPU is not in active use.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2025-71293 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy