CVE-2025-71103 Overview
CVE-2025-71103 is a Null Pointer Dereference vulnerability in the Linux kernel's DRM/MSM Adreno GPU driver. The flaw occurs when platforms with an a7xx GPU that does not support IFPC (Inter-Frame Power Collapse) improperly dereference the ifpc_reglist in the a7xx_patch_pwrup_reglist() function, leading to a kernel crash.
Critical Impact
This vulnerability causes a complete kernel crash (system denial of service) when the affected GPU driver is initialized on platforms with a7xx GPUs that do not support IFPC functionality.
Affected Products
- Linux Kernel (DRM/MSM Adreno driver)
- Systems with Qualcomm Adreno a7xx GPUs without IFPC support
- Linux kernel versions prior to the security patch
Discovery Timeline
- January 14, 2026 - CVE-2025-71103 published to NVD
- January 14, 2026 - Last updated in NVD database
Technical Details for CVE-2025-71103
Vulnerability Analysis
This vulnerability is a classic Null Pointer Dereference issue in the Linux kernel's graphics subsystem. The root of the problem lies in the DRM/MSM Adreno driver's power-up register list initialization code. When the a7xx_patch_pwrup_reglist() function is called during GPU hardware initialization, it attempts to access the ifpc_reglist data structure without first verifying that the list was properly declared and allocated.
On hardware platforms where the a7xx GPU does not support IFPC (Inter-Frame Power Collapse), the ifpc_reglist pointer remains NULL. When the code attempts to dereference this NULL pointer at virtual address 0x0000000000000008 (an offset into the expected structure), the kernel triggers an unhandled page fault, resulting in a complete system crash.
The crash occurs during the GPU initialization path, specifically when the DRM client setup attempts to initialize the framebuffer device. The call trace shows the crash originates in a6xx_hw_init() and propagates through msm_gpu_hw_init(), adreno_load_gpu(), and msm_open() functions within the MSM DRM module.
Root Cause
The vulnerability stems from a missing validity check on the ifpc_reglist pointer before it is dereferenced in the a7xx_patch_pwrup_reglist() function. The code assumes the IFPC register list is always available, but on certain a7xx GPU configurations that do not support IFPC power management, this list is never initialized, leaving a NULL pointer that is subsequently accessed.
Attack Vector
The vulnerability is triggered locally during the GPU driver initialization sequence. When the DRM subsystem loads and attempts to configure the Adreno GPU, the NULL pointer dereference occurs automatically without requiring any user interaction beyond normal system boot or GPU driver loading. While this is primarily a local denial of service condition, the crash can be triggered by:
- System boot on affected hardware configurations
- Loading the MSM DRM kernel module
- Any operation that triggers GPU hardware initialization
- DRM client applications attempting to open the GPU device
The crash manifests with the following kernel error pattern:
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008
pc : a6xx_hw_init+0x155c/0x1e4c [msm]
lr : a6xx_hw_init+0x9a8/0x1e4c [msm]
Detection Methods for CVE-2025-71103
Indicators of Compromise
- Kernel crash logs showing NULL pointer dereference at address 0x0000000000000008
- Stack traces referencing a6xx_hw_init, msm_gpu_hw_init, or adreno_load_gpu functions in the MSM module
- System instability or crashes during GPU initialization on a7xx hardware
- Kernel oops messages referencing the [msm] or [drm] modules
Detection Strategies
- Monitor system logs (dmesg, /var/log/kern.log) for NULL pointer dereference errors in the DRM/MSM subsystem
- Implement kernel crash dump analysis to identify crashes originating from the Adreno GPU driver
- Use kernel tracing tools to monitor the a6xx_hw_init and a7xx_patch_pwrup_reglist function calls
- Deploy automated kernel log monitoring to detect crash patterns associated with GPU initialization
Monitoring Recommendations
- Configure kdump or crash dump utilities to capture kernel crash data for post-mortem analysis
- Set up alerts for kernel oops messages involving the MSM DRM driver
- Monitor system stability metrics on devices with Qualcomm Adreno a7xx GPUs
- Review kernel module loading events for the msm driver on potentially affected systems
How to Mitigate CVE-2025-71103
Immediate Actions Required
- Update to a patched Linux kernel version containing the fix
- Review kernel configuration to ensure the MSM DRM driver is properly configured for your hardware
- If updates are not immediately possible, consider disabling the MSM DRM module on affected systems
- Test kernel updates in a staging environment before deploying to production systems with a7xx GPUs
Patch Information
The Linux kernel maintainers have released patches to address this vulnerability. The fix adds a validity check for ifpc_reglist before dereferencing the table to set up register values. Patches are available through the kernel git repository:
Additional technical details about the patch are available in the Freedesktop Patchwork submission.
Workarounds
- Blacklist the msm kernel module if the Adreno GPU is not required for system operation
- Use an alternative graphics driver if available for your hardware configuration
- Deploy the system without loading the DRM subsystem in environments where GPU functionality is not critical
- Apply the kernel patches manually if distribution updates are not yet available
# Blacklist the MSM DRM module as a temporary workaround
echo "blacklist msm" >> /etc/modprobe.d/blacklist-msm.conf
update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
