CVE-2025-40148
Description
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Add NULL pointer checks in dc_stream cursor attribute functions
The function dc_stream_set_cursor_attributes() currently dereferences the stream pointer and nested members stream->ctx->dc->current_state without checking for NULL.
All callers of these functions, such as in dcn30_apply_idle_power_optimizations() and amdgpu_dm_plane_handle_cursor_update(), already perform NULL checks before calling these functions.
Fixes below: drivers/gpu/drm/amd/amdgpu/../display/dc/core/dc_stream.c:336 dc_stream_program_cursor_attributes() error: we previously assumed 'stream' could be null (see line 334)
drivers/gpu/drm/amd/amdgpu/../display/dc/core/dc_stream.c 327 bool dc_stream_program_cursor_attributes( 328 struct dc_stream_state *stream, 329 const struct dc_cursor_attributes *attributes) 330 { 331 struct dc *dc; 332 bool reset_idle_optimizations = false; 333 334 dc = stream ? stream->ctx->dc : NULL; ^^^^^^ The old code assumed stream could be NULL.
335 --> 336 if (dc_stream_set_cursor_attributes(stream, attributes)) { ^^^^^^ The refactor added an unchecked dereference.
drivers/gpu/drm/amd/amdgpu/../display/dc/core/dc_stream.c 313 bool dc_stream_set_cursor_attributes( 314 struct dc_stream_state *stream, 315 const struct dc_cursor_attributes *attributes) 316 { 317 bool result = false; 318 319 if (dc_stream_check_cursor_attributes(stream, stream->ctx->dc->current_state, attributes)) { ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Here. This function used to check for if stream as NULL and return false at the start. Probably we should add that back.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
NULL pointer dereference in AMD GPU driver's cursor attribute functions can be triggered by a crafted stream state, leading to kernel crash.
In the Linux kernel's AMDGPU Direct Rendering Manager (DRM) driver, the dc_stream_set_cursor_attributes() and dc_stream_program_cursor_attributes() functions lack proper NULL checks for the stream pointer. Specifically, dc_stream_set_cursor_attributes() accesses stream->ctx->dc->current_state without verifying that stream is non-NULL, causing a NULL pointer dereference when called with a NULL stream.
Triggering this vulnerability requires a call to these functions with a NULL stream argument. While many callers, such as dcn30_apply_idle_power_optimizations() and amdgpu_dm_plane_handle_cursor_update(), already perform NULL checks before invocation, the internal functions themselves do not enforce this precondition. A malformed or malicious user-mode request that bypasses the caller-level checks could reach the vulnerable code path.
Exploiting this NULL pointer dereference results in a kernel panic (denial of service). The nature of the vulnerability does not suggest arbitrary code execution in typical configurations, but the crash can disrupt system availability.
The fix was merged via commit bf4e4b97d0fd in the mainline Linux kernel. System administrators should apply the latest kernel updates to ensure the patch is included [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
201e793e7d4d4bf4e4b97d0fdVulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.