What is the CVSS score of CVE-2025-71294?

CVE-2025-71294 has a CVSS 3.1 base score of 5.5 (Medium). CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.0%.

Is there a patch available for CVE-2025-71294?

Yes, a patch is available for CVE-2025-71294. Update the affected software to the latest version immediately.

Linux Kernel CVE-2025-71294

EUVD-2025-209682 MEDIUM

NULL Pointer Dereference (CWE-476)

2026-05-06 Linux

GHSA-xgp5-j47w-j4jx

Denial Of Service Linux Null Pointer Dereference Red Hat Suse

5.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Analysis Generated

May 13, 2026 - 00:01 vuln.today

CVSS changed

May 12, 2026 - 21:37 NVD

5.5 (MEDIUM)

Patch available

May 06, 2026 - 13:02 EUVD

CVE Published

May 06, 2026 - 11:32 nvd

MEDIUM 5.5

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu: fix NULL pointer issue buffer funcs

If SDMA block not enabled, buffer_funcs will not initialize, fix the null pointer issue if buffer_funcs not initialized.

AnalysisAI

Null pointer dereference in the AMD GPU (amdgpu) DRM subsystem can cause denial of service when the SDMA block is disabled and buffer_funcs initialization is skipped, allowing local authenticated users to crash the kernel via uninitialized function pointer access.

Technical ContextAI

The amdgpu driver in the Linux kernel's Direct Rendering Manager (DRM) subsystem manages AMD graphics hardware initialization. The SDMA (System DMA) block is an optional hardware component for data transfer operations. When the SDMA block is not enabled during driver initialization, the buffer_funcs structure pointer remains uninitialized (NULL). Subsequent code paths that assume buffer_funcs is always valid will dereference this NULL pointer, triggering a kernel panic. The root cause is CWE-476 (Null Pointer Dereference), where conditional initialization logic fails to validate pointer state before use. The fix adds explicit NULL checks before buffer_funcs access in code paths that can execute regardless of SDMA enablement status.

RemediationAI

Apply kernel security updates: upgrade to Linux 6.12.75 or later, 6.18.16 or later, 6.19.6 or later, or 7.0 with patch applied. Patch commits are available at https://git.kernel.org/stable/c/276028fd9b60bbcc68796d1124b6b58298f4ca8a and mirror URLs. For systems that cannot immediately patch, mitigate by restricting local user access to affected systems via SELinux or AppArmor policies that prevent non-administrative users from triggering GPU initialization paths; this is a defense-in-depth measure but does not eliminate risk for multi-user systems. Alternatively, disable amdgpu driver loading entirely if GPU acceleration is not required (trade-off: loss of GPU functionality). If SDMA hardware is available and can be enabled in BIOS/UEFI, enabling it may prevent the NULL pointer condition, though this should be verified with your specific AMD GPU model and kernel version.