CVE-2025-71294: Null Pointer Dereference in AMD GPU Driver
Platform
linux
Component
amdgpu
Fixed in
276028fd9b60bbcc68796d1124b6b58298f4ca8a
CVE-2025-71294 describes a Null Pointer Dereference vulnerability discovered in the AMD GPU Driver for Linux. This flaw arises when the SDMA block is not enabled, preventing proper initialization of buffer functions, potentially leading to system instability. The vulnerability affects versions of the driver prior to 276028fd9b60bbcc68796d1124b6b58298f4ca8a, and a fix is available in that version.
Impact and Attack Scenarios
A successful exploitation of this Null Pointer Dereference vulnerability could allow an attacker to trigger a denial-of-service (DoS) condition, causing the system to crash or become unresponsive. The attacker could potentially gain control of the affected system, although this is less likely given the nature of the vulnerability. The impact is primarily related to system stability and availability, rather than direct data compromise. While not directly exploitable for remote code execution, a crash could be leveraged in conjunction with other vulnerabilities to escalate privileges or gain further access. The severity stems from the potential for system downtime and the difficulty in recovering from a crash.
Exploitation Context
The vulnerability was published on 2026-05-06. Exploitation context is currently limited; there are no publicly available proof-of-concept (POC) exploits. The vulnerability is not listed on KEV (Kernel Exploitability Vulnerability) as of this writing. The EPSS (Exploit Prediction Scoring System) score is pending evaluation, indicating an uncertain probability of exploitation. Monitor security advisories and threat intelligence feeds for any updates on exploitation activity.
Threat Intelligence
Exploit Status
EPSS
0.02% (7% percentile)
Affected Software
Timeline
- Published
- Modified
- EPSS updated
Mitigation and Workarounds
The primary mitigation for CVE-2025-71294 is to upgrade the AMD GPU Driver to version 276028fd9b60bbcc68796d1124b6b58298f4ca8a or later. If an immediate upgrade is not possible due to compatibility issues or system downtime concerns, consider temporarily disabling the SDMA block if it is not essential for your workload. This workaround reduces the likelihood of the vulnerability being triggered. Monitor system logs for any crashes or errors related to the AMD GPU driver, which could indicate exploitation attempts. After upgrading, confirm the fix by running a stress test on the GPU to ensure stability.
How to fix
Actualizar el kernel de Linux a la versión 6.7 o superior, o a una versión posterior dentro de las ramas 6.12, 6.18 o 6.19 que contengan la corrección. Esta actualización soluciona un problema de puntero nulo en las funciones de manejo de búferes cuando el bloque SDMA no está habilitado, previniendo posibles fallos del sistema.
Frequently asked questions
What is CVE-2025-71294 — Null Pointer Dereference in AMD GPU Driver?
CVE-2025-71294 is a vulnerability in the AMD GPU Driver for Linux where a Null Pointer Dereference can occur if the SDMA block is not enabled, potentially leading to system instability or denial of service.
Am I affected by CVE-2025-71294 in AMD GPU Driver?
You are affected if you are running the AMD GPU Driver for Linux on a system with a version prior to 276028fd9b60bbcc68796d1124b6b58298f4ca8a. Check your driver version to determine if you are vulnerable.
How do I fix CVE-2025-71294 in AMD GPU Driver?
Upgrade the AMD GPU Driver to version 276028fd9b60bbcc68796d1124b6b58298f4ca8a or later. As a temporary workaround, disable the SDMA block if it is not essential.
Is CVE-2025-71294 being actively exploited?
As of the current assessment, CVE-2025-71294 is not known to be actively exploited, but monitoring for exploitation attempts is recommended.
Where can I find the official AMD advisory for CVE-2025-71294?
Refer to the AMD security advisories page for the latest information and official guidance regarding CVE-2025-71294.
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Try it now — no account
Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
Drag & drop your dependency file
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...