Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71293

CVE-2025-71293: Linux Kernel Use-After-Free Vulnerability

CVE-2025-71293 is a use-after-free vulnerability in the Linux kernel's AMD GPU RAS driver that causes NULL pointer dereference. This article covers the technical details, affected versions, impact, and mitigation.

Published:

CVE-2025-71293 Overview

CVE-2025-71293 is a NULL pointer dereference vulnerability in the Linux kernel's amdgpu Direct Rendering Manager (DRM) driver. The flaw resides in the Reliability, Availability, and Serviceability (RAS) subsystem, specifically in amdgpu_ras_sysfs_badpages_read. When EEPROM contains only invalid address entries, RAS data allocation is skipped, leaving an unallocated structure that the sysfs read path later dereferences. Reading the bad pages sysfs node triggers a kernel oops at address 0x0000000000000010. The upstream fix moves the data allocation call before the bad page check, ensuring the structure exists regardless of EEPROM content.

Critical Impact

Local users reading the amdgpu RAS bad pages sysfs entry on affected hardware can trigger a kernel NULL pointer dereference, causing a denial of service through kernel oops.

Affected Products

  • Linux kernel versions including the amdgpu DRM driver with RAS bad page sysfs support
  • Systems using AMD GPUs with EEPROM-backed RAS error records
  • Distributions shipping affected kernels (observed on Ubuntu kernel 6.8.0-38-generic per the reported oops)

Discovery Timeline

  • 2026-05-06 - CVE-2025-71293 published to NVD
  • 2026-05-06 - Last updated in NVD database

Technical Details for CVE-2025-71293

Vulnerability Analysis

The vulnerability is a [CWE-476] NULL pointer dereference in the AMD GPU RAS subsystem. The function amdgpu_ras_sysfs_badpages_read reads bad page records exposed through sysfs. It depends on a RAS data structure being allocated during driver initialization. When the EEPROM contains only invalid address entries, the initialization path skips the allocation as an optimization. The sysfs handler does not validate that the structure exists before dereferencing it.

The captured kernel trace shows a fault at RIP: amdgpu_ras_sysfs_badpages_read+0x2f2/0x5d0 with CR2: 0000000000000010, confirming a dereference of an offset within a NULL pointer. The same logic gap also produces negative values in the remaining space calculation, indicating arithmetic on uninitialized state. Successful triggering requires local access to the /sys interface exposed by the amdgpu driver, typically restricted to privileged users but readable by any process granted access to the sysfs node.

Root Cause

The defect is an ordering bug in the driver initialization sequence. RAS data allocation was conditionally performed only after a bad page validity check. When all EEPROM entries were invalid, the allocation was bypassed while the sysfs interface was still registered. The fix relocates the kzalloc-style allocation to occur before the bad page check, removing the condition that produced the unallocated state.

Attack Vector

A local user reads the bad_pages sysfs file under the amdgpu RAS directory. On systems where the EEPROM contains only invalid address records, this read dispatches into amdgpu_ras_sysfs_badpages_read, which dereferences the unallocated RAS data structure. The result is a kernel oops and termination of the reading task, with potential cascading instability on the affected CPU. No code is required beyond a standard cat of the sysfs entry, as documented in the upstream report (Comm: cat).

// No verified exploitation code published.
// Trigger conditions described in upstream commit message:
// 1. AMD GPU with EEPROM containing only invalid bad page entries
// 2. Read of the amdgpu RAS bad_pages sysfs node
// Result: NULL pointer dereference at offset 0x10

Detection Methods for CVE-2025-71293

Indicators of Compromise

  • Kernel oops messages referencing amdgpu_ras_sysfs_badpages_read in dmesg or /var/log/kern.log
  • Page fault entries showing CR2: 0000000000000010 paired with the amdgpu module in the call trace
  • Unexpected termination of processes reading files under /sys/class/drm/card*/device/ras/

Detection Strategies

  • Monitor kernel ring buffer output for BUG: kernel NULL pointer dereference events tied to the amdgpu module
  • Inventory hosts running affected kernel builds with AMD GPUs and validate RAS EEPROM state where supported
  • Correlate sysfs read activity against subsequent kernel oops events to identify trigger sources

Monitoring Recommendations

  • Forward kernel logs to a centralized log platform and alert on amdgpu_ras_sysfs fault signatures
  • Track package versions of the kernel across the fleet to confirm patch coverage
  • Audit which local accounts and services read amdgpu RAS sysfs entries during routine operations

How to Mitigate CVE-2025-71293

Immediate Actions Required

  • Apply the upstream Linux kernel patches that move RAS data allocation before the bad page check
  • Update to a distribution kernel that includes the fix once available from the vendor
  • Restrict local access on multi-tenant systems with AMD GPUs until patched kernels are deployed

Patch Information

The fix is committed upstream in the stable tree. Refer to the Linux Kernel Commit 0b7f78ca, Linux Kernel Commit 5c685235, and Linux Kernel Commit bd68a140 for the exact change. The patch reorders the allocation in amdgpu_ras_recovery_init so RAS data exists before the bad page validation runs.

Workarounds

  • Restrict read permissions on /sys/class/drm/card*/device/ras/bad_pages to administrative accounts only
  • Where feasible, disable the RAS sysfs interface or unload the amdgpu module on systems that do not require GPU error reporting
  • Avoid manual reads of the bad pages sysfs entry on unpatched hosts with AMD GPUs reporting only invalid EEPROM records
bash
# Verify running kernel and confirm patch presence
uname -r
# Inspect amdgpu RAS sysfs nodes (run only on patched hosts)
ls -l /sys/class/drm/card*/device/ras/
# Restrict access to the bad_pages node as a temporary control
chmod 600 /sys/class/drm/card0/device/ras/bad_pages

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.