Skip to main content

Linux Kernel EUVDEUVD-2025-209967

| CVE-2025-71303 MEDIUM
Race Condition (CWE-362)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-9hw7-7g65-g445
4.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.7 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
4.7 MEDIUM

Local-only vector with AC:H reflects the narrow race window; PR:L for standard user; only availability impacted, no confidentiality or integrity effect.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 25, 2026 - 23:16 vuln.today
CVSS changed
Jun 25, 2026 - 21:07 NVD
4.7 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:16 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

accel/amdxdna: Fix race condition when checking rpm_on

When autosuspend is triggered, driver rpm_on flag is set to indicate that a suspend/resume is already in progress. However, when a userspace application submits a command during this narrow window, amdxdna_pm_resume_get() may incorrectly skip the resume operation because the rpm_on flag is still set. This results in commands being submitted while the device has not actually resumed, causing unexpected behavior.

The set_dpm() is called by suspend/resume, it relied on rpm_on flag to avoid calling into rpm suspend/resume recursivly. So to fix this, remove the use of the rpm_on flag entirely. Instead, introduce aie2_pm_set_dpm() which explicitly resumes the device before invoking set_dpm(). With this change, set_dpm() is called directly inside the suspend or resume execution path. Otherwise, aie2_pm_set_dpm() is called.

AnalysisAI

Race condition in the Linux kernel's accel/amdxdna driver allows a local low-privileged user to cause device availability impact on systems equipped with AMD XDna AI accelerator hardware. The flaw in the rpm_on flag check permits command submissions to the accelerator during a narrow autosuspend transition window before the device has fully resumed, producing undefined hardware behavior or driver crashes. No public exploit exists and EPSS is at the 6th percentile (0.02%), indicating negligible real-world exploitation probability; no active exploitation is confirmed.

Technical ContextAI

The amdxdna subsystem (accel/amdxdna) provides the Linux kernel driver for AMD's XDna AI accelerator IP. The vulnerability resides in the driver's integration with the kernel's Runtime PM (RPM) framework, which dynamically suspends idle peripheral devices to save power. To prevent recursive entry into RPM suspend/resume paths, the driver maintained a boolean flag rpm_on. During autosuspend, this flag was set while the transition was in progress; if a userspace thread concurrently called amdxdna_pm_resume_get() and observed rpm_on as set, it incorrectly inferred that resume had already occurred and skipped the actual resume call. This is a canonical TOCTOU race (CWE-362): the flag check and the device-state assumption it encodes are not atomic. The fix eliminates rpm_on entirely, replacing it with a new aie2_pm_set_dpm() function that unconditionally resumes the device before performing DPM operations. The affected CPE is cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*, scoped to kernels containing the amdxdna driver with the vulnerable rpm_on logic introduced at commit 063db451832b8849faf1b0b8404b3a6a39995b29.

RemediationAI

The primary remediation is to upgrade to Linux kernel 6.19.4 or a later 7.0-series release incorporating the fix. The authoritative stable-tree patches are available at https://git.kernel.org/stable/c/e7cb75b6a5127d78298e39750b4f3185eca0dafc and https://git.kernel.org/stable/c/00ffe45ece80160aef446d74ded906352f21dd72; distribution kernel maintainers should be consulted for backport status to older LTS branches. If patching is not immediately feasible, disabling Runtime PM autosuspend for the amdxdna device via a udev rule (setting power/autosuspend_delay_ms to -1 for the relevant device node) eliminates the race window entirely by preventing the suspend/resume cycle that triggers the condition; the trade-off is increased power consumption on systems where the accelerator would otherwise idle. Systems without AMD XDna accelerator hardware are unaffected and require no action.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Not-Affected

Share

EUVD-2025-209967 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy