CVE-2025-40191

Vulnerability

Overview

In the Linux kernel, the AMD KFD (Kernel Fusion Driver) component contains a reference counting flaw in the kfd_lookup_process_by_pid function. When unmapping userptrs, the driver holds a reference to the KFD process to ensure it is not destroyed while sending a segfault event to user space. However, calling kfd_lookup_process_by_pid as a function parameter leaks the KFD process reference count and misses a NULL pointer check if the application process has already been destroyed [1].

Exploitation

An attacker with local access and the ability to trigger userptr unmapping operations can exploit this bug. The missing NULL check and reference leak can lead to a use-after-free condition when the process is destroyed while the driver still holds a stale reference. No special privileges beyond local user access to the affected AMD GPU device are required, but the attack surface is limited to systems using the amdkfd driver.

Impact

Successful exploitation could result in a kernel crash (denial of service) or, in more severe cases, allow an attacker to escalate privileges by corrupting kernel memory. The vulnerability affects systems running the Linux kernel with the amdkfd module loaded.

Mitigation

The fix is included in the Linux kernel stable tree as commit 60f6112fc9b3 [1]. Users should apply the latest kernel updates from their distribution or compile a patched kernel. No workaround is available; updating the kernel is the recommended mitigation is the recommended action.