CVE-2025-40339

Vulnerability

Overview

In the Linux kernel's amdgpu DRM driver, a null pointer dereference vulnerability exists in the amdgpu_vm_handle_moved function. The root cause is that when an amdgpu_bo_va structure corresponds to the private virtual address (fpriv->prt_va), its bo (buffer object) pointer is always NULL. The code previously did not account for this special case, leading to a NULL pointer dereference when attempting to access the bo field during page table update processing [1].

Exploitation

Conditions

To exploit this vulnerability, an attacker would need local access to the system and the ability to trigger the code path that processes moved virtual memory for a private virtual address. This typically requires performing GPU operations that cause page table updates, such as memory mapping or buffer migration. No special privileges beyond local user access are required, as the driver is accessible from user space via the Direct Rendering Manager (DRM) interface.

Impact

A successful exploit of this null pointer dereference can lead to a kernel crash (denial of service). In some cases, if an attacker can control the memory layout, it might be possible to achieve privilege escalation by exploiting the resulting kernel panic or by corrupting kernel memory. The vulnerability is classified as a high-severity issue due to the potential for system instability and local privilege escalation.

Mitigation

The fix has been applied in the Linux kernel stable tree via commit 47281febebe337586569aa4c5694a7511063a42e [1]. Users are advised to update their kernel to a version that includes this patch. No workaround is available; updating the kernel is the recommended mitigation.