Scan free
Pending AnalysisCVE-2025-71293

CVE-2025-71293: Kernel NULL Pointer in AMD GPU Driver

Platform

linux

Component

amdgpu

Fixed in

bd68a1404b6fa2e7e9957b38ba22616faba43e75

View on NVD
Save

CVE-2025-71293 is a security vulnerability affecting the AMD GPU Driver within the Linux kernel. This vulnerability results in a NULL pointer dereference, potentially leading to system crashes or instability. The issue stems from a flaw in the RAS subsystem's data allocation process when encountering invalid EEPROM entries. Affected versions include those prior to bd68a1404b6fa2e7e9957b38ba22616faba43e75, and a fix is available in that version.

Impact and Attack Scenarios

The core impact of CVE-2025-71293 is a kernel NULL pointer dereference. This means the system attempts to access memory at address 0x0000000000000010, which is invalid, causing a crash. The vulnerability arises when the AMD GPU driver's RAS subsystem attempts to allocate data but encounters an EEPROM containing only invalid address entries. This skips the allocation, leading to the NULL pointer dereference. A successful exploitation could lead to a denial-of-service (DoS) condition, potentially requiring a system reboot. While direct remote code execution is unlikely, the instability could be leveraged in conjunction with other vulnerabilities to achieve a more severe outcome.

Exploitation Context

The vulnerability was published on 2026-05-06. Its exploitation probability is currently pending evaluation. No public proof-of-concept (POC) code has been publicly released as of this writing. There are no indications of active campaigns targeting this specific vulnerability. It is recommended to monitor security advisories and threat intelligence feeds for any updates regarding exploitation attempts.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO

EPSS

0.02% (6% percentile)

Affected Software

Componentamdgpu
VendorLinux
Maximum versionbd68a1404b6fa2e7e9957b38ba22616faba43e75
Fixed inbd68a1404b6fa2e7e9957b38ba22616faba43e75

Timeline

  1. Published
  2. Modified
  3. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2025-71293 is to upgrade the AMD GPU Driver to version bd68a1404b6fa2e7e9957b38ba22616faba43e75 or later. If an immediate upgrade is not feasible due to compatibility issues or system downtime constraints, consider temporarily disabling the RAS functionality within the AMD GPU driver, although this will reduce system reliability features. Monitor system logs for kernel panics or errors related to memory access, particularly those referencing NULL pointer dereferences. After upgrading, confirm the fix by running a stress test on the GPU to ensure stability under load.

How to fix

Actualizar el kernel de Linux a la versión 6.8.1 o superior para mitigar el problema. La vulnerabilidad se produce debido a una condición de carrera en la asignación de datos RAS, que puede provocar una desreferenciación de puntero nulo. La actualización corrige este problema moviendo la asignación de datos antes de la verificación de páginas defectuosas.

Frequently asked questions

What is CVE-2025-71293 — Kernel NULL Pointer in AMD GPU Driver?

CVE-2025-71293 is a vulnerability in the AMD GPU Driver for Linux that can lead to a NULL pointer dereference, potentially causing system instability or crashes. It occurs when the driver handles invalid EEPROM entries.

Am I affected by CVE-2025-71293 in AMD GPU Driver?

You are affected if you are running the AMD GPU Driver in Linux with a version prior to bd68a1404b6fa2e7e9957b38ba22616faba43e75. Check your driver version using the commands provided in the detection steps.

How do I fix CVE-2025-71293 in AMD GPU Driver?

Upgrade the AMD GPU Driver to version bd68a1404b6fa2e7e9957b38ba22616faba43e75 or later. If immediate upgrade is not possible, consider temporarily disabling RAS functionality (with caution).

Is CVE-2025-71293 being actively exploited?

As of the current assessment, there are no indications of active exploitation campaigns targeting CVE-2025-71293. However, continuous monitoring is recommended.

Where can I find the official AMD advisory for CVE-2025-71293?

Refer to the AMD security advisories page for the latest information and official guidance regarding CVE-2025-71293. Check the Linux Kernel security announcements as well.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs
livefree scan

Try it now — no account

Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.

Manual scanSlack/email alertsContinuous monitoringWhite-label reports

Drag & drop your dependency file

composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...