CVE-2025-40334

Root

Cause

The vulnerability resides in the drm/amdgpu driver within the Linux kernel. The driver fails to validate the virtual address and size of a user queue (userq) buffer object. Without this validation, the kernel cannot determine whether the buffer is resident in a valid virtual memory mapping [1].

Exploitation

To exploit this flaw, an attacker must have local access to the system and the ability to submit user queue commands to the AMD GPU. By crafting a userq buffer with an invalid virtual address or size, the attacker can cause the kernel to operate on a buffer that is not properly mapped, leading to memory corruption [1].

Impact

Successful exploitation could result in a local attacker could trigger a use-after-free condition or access invalid memory regions. This could result in a system crash (denial of service) or potentially allow privilege escalation if the attacker can control the corrupted memory [1].

Mitigation

The fix was applied in the Linux kernel stable tree via commit 9e46b8bb0539d7bc9a9e7b3072fa4f6082490392. Users should update their kernel to a version containing this commit to include this commit or a backport [1].