CVE-2025-40354

Root

Cause

The vulnerability in the Linux kernel's DRM/AMD Display Core involves two distinct issues. First, the dc->links[MAX_LINKS] array was sized at 12, but the actual hardware could require up to 14 entries (max connectors + max DPIA + 4 virtual), leading to a potential out-of-bounds array access. Second, during hardware initialization (hw_init()), the code could dereference a NULL pointer for link_enc (link encoder) when processing DPIA (DisplayPort In-Band Authentication) connections that are not display endpoints [1].

Attack

Vector & Prerequisites

This vulnerability is exploitable only by an attacker with local access to the system, as it requires loading or reloading the AMD GPU driver module (amdgpu) with a specific display configuration that triggers the array overflow or the NULL pointer path. No special privileges beyond local user access are needed to trigger the bug through normal display operations (e.g., hotplugging or driver initialization) [1].

Impact

Successful exploitation could lead to a kernel crash (denial of service) due to the memory corruption from the array overflow or the NULL pointer dereference. While the fix specifically addresses stability issues, the out-of-bounds write could, in theory, be leveraged for privilege escalation in environments where the attacker controls display hardware configuration [1].

Mitigation

The fix was included in a stable kernel commit cherry-picked from upstream (commit d7f5a61e1b04). Users should update to a kernel version containing this patch. No known workaround exists, as the issue is in the driver's hardware initialization path [1].