CVE-2025-68190

Vulnerability

Analysis

In the Linux kernel's AMDGPU driver, the function amdgpu_atom_execute_table_locked() uses kcalloc() to allocate a workspace (WS) buffer when the WS size is non-zero. The vulnerability arises because the return value of kcalloc() is not checked for failure. If the allocation fails, ectx.ws remains NULL while ectx.ws_size is set to the requested size, leading to a potential NULL pointer dereference in atom_get_src_int() when it accesses WS entries [1].

Exploitation

The attack surface is local, requiring the ability to trigger a memory allocation failure in a specific code path of the AMDGPU driver. No special privileges are mentioned; however, the user would need to have access to DRM operations that invoke the atom execution table, which typically requires a logged-in user with GPU access. The exploitation scenario involves an out-of-memory condition or a crafted environment that causes kcalloc() to fail, after which a subsequent operation dereferences the NULL ectx.ws pointer [1].

Impact

A successful exploit could lead to a NULL pointer dereference, which in the kernel context results in a denial of service (system crash or hang). The impact is limited to availability, as the vulnerability does not provide code execution or privilege escalation according to the patch description [1].

Mitigation

The vulnerability is fixed by adding a check for the return value of kcalloc() and returning -ENOMEM if the allocation fails. The patch is included in the Linux kernel stable tree as commit cc9a8e238e42. Users should update their kernel to a version containing this fix [1].