CVE-2025-71293 (GCVE-0-2025-71293)

Vulnerability from cvelistv5 – Published: 2026-05-06 11:32 – Updated: 2026-05-11 21:57
VLAI
Title
drm/amdgpu/ras: Move ras data alloc before bad page check
Summary
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/ras: Move ras data alloc before bad page check In the rare event if eeprom has only invalid address entries, allocation is skipped, this causes following NULL pointer issue [ 547.103445] BUG: kernel NULL pointer dereference, address: 0000000000000010 [ 547.118897] #PF: supervisor read access in kernel mode [ 547.130292] #PF: error_code(0x0000) - not-present page [ 547.141689] PGD 124757067 P4D 0 [ 547.148842] Oops: 0000 [#1] PREEMPT SMP NOPTI [ 547.158504] CPU: 49 PID: 8167 Comm: cat Tainted: G OE 6.8.0-38-generic #38-Ubuntu [ 547.177998] Hardware name: Supermicro AS -8126GS-TNMR/H14DSG-OD, BIOS 1.7 09/12/2025 [ 547.195178] RIP: 0010:amdgpu_ras_sysfs_badpages_read+0x2f2/0x5d0 [amdgpu] [ 547.210375] Code: e8 63 78 82 c0 45 31 d2 45 3b 75 08 48 8b 45 a0 73 44 44 89 f1 48 8b 7d 88 48 89 ca 48 c1 e2 05 48 29 ca 49 8b 4d 00 48 01 d1 <48> 83 79 10 00 74 17 49 63 f2 48 8b 49 08 41 83 c2 01 48 8d 34 76 [ 547.252045] RSP: 0018:ffa0000067287ac0 EFLAGS: 00010246 [ 547.263636] RAX: ff11000167c28130 RBX: ff11000127600000 RCX: 0000000000000000 [ 547.279467] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ff11000125b1c800 [ 547.295298] RBP: ffa0000067287b50 R08: 0000000000000000 R09: 0000000000000000 [ 547.311129] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 547.326959] R13: ff11000217b1de00 R14: 0000000000000000 R15: 0000000000000092 [ 547.342790] FS: 0000746e59d14740(0000) GS:ff11017dfda80000(0000) knlGS:0000000000000000 [ 547.360744] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 547.373489] CR2: 0000000000000010 CR3: 000000019585e001 CR4: 0000000000f71ef0 [ 547.389321] PKRU: 55555554 [ 547.395316] Call Trace: [ 547.400737] <TASK> [ 547.405386] ? show_regs+0x6d/0x80 [ 547.412929] ? __die+0x24/0x80 [ 547.419697] ? page_fault_oops+0x99/0x1b0 [ 547.428588] ? do_user_addr_fault+0x2ee/0x6b0 [ 547.438249] ? exc_page_fault+0x83/0x1b0 [ 547.446949] ? asm_exc_page_fault+0x27/0x30 [ 547.456225] ? amdgpu_ras_sysfs_badpages_read+0x2f2/0x5d0 [amdgpu] [ 547.470040] ? mas_wr_modify+0xcd/0x140 [ 547.478548] sysfs_kf_bin_read+0x63/0xb0 [ 547.487248] kernfs_file_read_iter+0xa1/0x190 [ 547.496909] kernfs_fop_read_iter+0x25/0x40 [ 547.506182] vfs_read+0x255/0x390 This also result in space left assigned to negative values. Moving data alloc call before bad page check resolves both the issue.
Severity
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: d45c5e6845a76169ef3d6076f0f04487e5776905 , < 0b7f78caeffa51a1afa521c284e863ec3b5a36df (git)
Affected: d45c5e6845a76169ef3d6076f0f04487e5776905 , < 5c685235b60459381e959109b416a63db4d8dbac (git)
Affected: d45c5e6845a76169ef3d6076f0f04487e5776905 , < bd68a1404b6fa2e7e9957b38ba22616faba43e75 (git)
Create a notification for this product.
Linux Linux Affected: 6.18
Unaffected: 0 , < 6.18 (semver)
Unaffected: 6.18.16 , ≤ 6.18.* (semver)
Unaffected: 6.19.6 , ≤ 6.19.* (semver)
Unaffected: 7.0 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0b7f78caeffa51a1afa521c284e863ec3b5a36df",
              "status": "affected",
              "version": "d45c5e6845a76169ef3d6076f0f04487e5776905",
              "versionType": "git"
            },
            {
              "lessThan": "5c685235b60459381e959109b416a63db4d8dbac",
              "status": "affected",
              "version": "d45c5e6845a76169ef3d6076f0f04487e5776905",
              "versionType": "git"
            },
            {
              "lessThan": "bd68a1404b6fa2e7e9957b38ba22616faba43e75",
              "status": "affected",
              "version": "d45c5e6845a76169ef3d6076f0f04487e5776905",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.18"
            },
            {
              "lessThan": "6.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.16",
                  "versionStartIncluding": "6.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.6",
                  "versionStartIncluding": "6.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "6.18",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/ras: Move ras data alloc before bad page check\n\nIn the rare event if eeprom has only invalid address entries,\nallocation is skipped, this causes following NULL pointer issue\n[  547.103445] BUG: kernel NULL pointer dereference, address: 0000000000000010\n[  547.118897] #PF: supervisor read access in kernel mode\n[  547.130292] #PF: error_code(0x0000) - not-present page\n[  547.141689] PGD 124757067 P4D 0\n[  547.148842] Oops: 0000 [#1] PREEMPT SMP NOPTI\n[  547.158504] CPU: 49 PID: 8167 Comm: cat Tainted: G           OE      6.8.0-38-generic #38-Ubuntu\n[  547.177998] Hardware name: Supermicro AS -8126GS-TNMR/H14DSG-OD, BIOS 1.7 09/12/2025\n[  547.195178] RIP: 0010:amdgpu_ras_sysfs_badpages_read+0x2f2/0x5d0 [amdgpu]\n[  547.210375] Code: e8 63 78 82 c0 45 31 d2 45 3b 75 08 48 8b 45 a0 73 44 44 89 f1 48 8b 7d 88 48 89 ca 48 c1 e2 05 48 29 ca 49 8b 4d 00 48 01 d1 \u003c48\u003e 83 79 10 00 74 17 49 63 f2 48 8b 49 08 41 83 c2 01 48 8d 34 76\n[  547.252045] RSP: 0018:ffa0000067287ac0 EFLAGS: 00010246\n[  547.263636] RAX: ff11000167c28130 RBX: ff11000127600000 RCX: 0000000000000000\n[  547.279467] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ff11000125b1c800\n[  547.295298] RBP: ffa0000067287b50 R08: 0000000000000000 R09: 0000000000000000\n[  547.311129] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\n[  547.326959] R13: ff11000217b1de00 R14: 0000000000000000 R15: 0000000000000092\n[  547.342790] FS:  0000746e59d14740(0000) GS:ff11017dfda80000(0000) knlGS:0000000000000000\n[  547.360744] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  547.373489] CR2: 0000000000000010 CR3: 000000019585e001 CR4: 0000000000f71ef0\n[  547.389321] PKRU: 55555554\n[  547.395316] Call Trace:\n[  547.400737]  \u003cTASK\u003e\n[  547.405386]  ? show_regs+0x6d/0x80\n[  547.412929]  ? __die+0x24/0x80\n[  547.419697]  ? page_fault_oops+0x99/0x1b0\n[  547.428588]  ? do_user_addr_fault+0x2ee/0x6b0\n[  547.438249]  ? exc_page_fault+0x83/0x1b0\n[  547.446949]  ? asm_exc_page_fault+0x27/0x30\n[  547.456225]  ? amdgpu_ras_sysfs_badpages_read+0x2f2/0x5d0 [amdgpu]\n[  547.470040]  ? mas_wr_modify+0xcd/0x140\n[  547.478548]  sysfs_kf_bin_read+0x63/0xb0\n[  547.487248]  kernfs_file_read_iter+0xa1/0x190\n[  547.496909]  kernfs_fop_read_iter+0x25/0x40\n[  547.506182]  vfs_read+0x255/0x390\n\nThis also result in space left assigned to negative values.\nMoving data alloc call before bad page check resolves both the issue."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:57:23.917Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0b7f78caeffa51a1afa521c284e863ec3b5a36df"
        },
        {
          "url": "https://git.kernel.org/stable/c/5c685235b60459381e959109b416a63db4d8dbac"
        },
        {
          "url": "https://git.kernel.org/stable/c/bd68a1404b6fa2e7e9957b38ba22616faba43e75"
        }
      ],
      "title": "drm/amdgpu/ras: Move ras data alloc before bad page check",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-71293",
    "datePublished": "2026-05-06T11:32:24.583Z",
    "dateReserved": "2026-05-06T11:31:45.510Z",
    "dateUpdated": "2026-05-11T21:57:23.917Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2025-71293",
      "date": "2026-05-27",
      "epss": "0.00013",
      "percentile": "0.02248"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-71293\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-05-06T12:16:28.583\",\"lastModified\":\"2026-05-13T20:55:15.357\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amdgpu/ras: Move ras data alloc before bad page check\\n\\nIn the rare event if eeprom has only invalid address entries,\\nallocation is skipped, this causes following NULL pointer issue\\n[  547.103445] BUG: kernel NULL pointer dereference, address: 0000000000000010\\n[  547.118897] #PF: supervisor read access in kernel mode\\n[  547.130292] #PF: error_code(0x0000) - not-present page\\n[  547.141689] PGD 124757067 P4D 0\\n[  547.148842] Oops: 0000 [#1] PREEMPT SMP NOPTI\\n[  547.158504] CPU: 49 PID: 8167 Comm: cat Tainted: G           OE      6.8.0-38-generic #38-Ubuntu\\n[  547.177998] Hardware name: Supermicro AS -8126GS-TNMR/H14DSG-OD, BIOS 1.7 09/12/2025\\n[  547.195178] RIP: 0010:amdgpu_ras_sysfs_badpages_read+0x2f2/0x5d0 [amdgpu]\\n[  547.210375] Code: e8 63 78 82 c0 45 31 d2 45 3b 75 08 48 8b 45 a0 73 44 44 89 f1 48 8b 7d 88 48 89 ca 48 c1 e2 05 48 29 ca 49 8b 4d 00 48 01 d1 \u003c48\u003e 83 79 10 00 74 17 49 63 f2 48 8b 49 08 41 83 c2 01 48 8d 34 76\\n[  547.252045] RSP: 0018:ffa0000067287ac0 EFLAGS: 00010246\\n[  547.263636] RAX: ff11000167c28130 RBX: ff11000127600000 RCX: 0000000000000000\\n[  547.279467] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ff11000125b1c800\\n[  547.295298] RBP: ffa0000067287b50 R08: 0000000000000000 R09: 0000000000000000\\n[  547.311129] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\\n[  547.326959] R13: ff11000217b1de00 R14: 0000000000000000 R15: 0000000000000092\\n[  547.342790] FS:  0000746e59d14740(0000) GS:ff11017dfda80000(0000) knlGS:0000000000000000\\n[  547.360744] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[  547.373489] CR2: 0000000000000010 CR3: 000000019585e001 CR4: 0000000000f71ef0\\n[  547.389321] PKRU: 55555554\\n[  547.395316] Call Trace:\\n[  547.400737]  \u003cTASK\u003e\\n[  547.405386]  ? show_regs+0x6d/0x80\\n[  547.412929]  ? __die+0x24/0x80\\n[  547.419697]  ? page_fault_oops+0x99/0x1b0\\n[  547.428588]  ? do_user_addr_fault+0x2ee/0x6b0\\n[  547.438249]  ? exc_page_fault+0x83/0x1b0\\n[  547.446949]  ? asm_exc_page_fault+0x27/0x30\\n[  547.456225]  ? amdgpu_ras_sysfs_badpages_read+0x2f2/0x5d0 [amdgpu]\\n[  547.470040]  ? mas_wr_modify+0xcd/0x140\\n[  547.478548]  sysfs_kf_bin_read+0x63/0xb0\\n[  547.487248]  kernfs_file_read_iter+0xa1/0x190\\n[  547.496909]  kernfs_fop_read_iter+0x25/0x40\\n[  547.506182]  vfs_read+0x255/0x390\\n\\nThis also result in space left assigned to negative values.\\nMoving data alloc call before bad page check resolves both the issue.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-476\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.18\",\"versionEndExcluding\":\"6.18.16\",\"matchCriteriaId\":\"E0D300DB-AA68-4962-981D-EF9F5E97AACF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.19\",\"versionEndExcluding\":\"6.19.6\",\"matchCriteriaId\":\"373EEEDA-FAA1-4FB4-B6ED-DB4DD99DBE67\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/0b7f78caeffa51a1afa521c284e863ec3b5a36df\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/5c685235b60459381e959109b416a63db4d8dbac\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/bd68a1404b6fa2e7e9957b38ba22616faba43e75\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.