CVE-2025-21956 in Linuxinfo

Summary

by MITRE • 04/01/2025

In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Assign normalized_pix_clk when color depth = 14

[WHY & HOW]
A warning message "WARNING: CPU: 4 PID: 459 at ... /dc_resource.c:3397 calculate_phy_pix_clks+0xef/0x100 [amdgpu]" occurs because the
display_color_depth == COLOR_DEPTH_141414 is not handled. This is observed in Radeon RX 6600 XT.

It is fixed by assigning pix_clk * (14 * 3) / 24 - same as the rests.

Also fixes the indentation in get_norm_pix_clk.

(cherry picked from commit 274a87eb389f58eddcbc5659ab0b180b37e92775)

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 02/01/2026

The vulnerability CVE-2025-21956 represents a critical issue within the AMD GPU display driver component of the Linux kernel, specifically affecting the display resource management subsystem. This flaw manifests in the drm/amd/display driver where the system fails to properly handle color depth configurations, particularly when dealing with 14-bit color depth settings. The issue primarily impacts Radeon RX 6600 XT graphics cards and other AMD GPU models that utilize the amdgpu kernel module for display operations. The root cause stems from an incomplete code path in the display color depth handling logic, which creates a scenario where certain color depth values are not properly normalized, leading to system instability and warning messages during display initialization or configuration.

The technical implementation flaw occurs within the dc_resource.c file at line 3397 in the calculate_phy_pix_clks function, where the system encounters a condition where display_color_depth equals COLOR_DEPTH_141414 but lacks proper handling. This specific color depth configuration represents a 14-bit per channel color depth setting that should be normalized to ensure proper pixel clock calculations for display timing. The missing assignment of normalized_pix_clk for this particular color depth value results in the kernel generating warning messages that indicate a potential system instability or configuration error. The fix addresses this by implementing the same normalization calculation used for other color depth configurations, specifically assigning pix_clk (14 3) / 24, which aligns with the established patterns for color depth normalization within the display subsystem.

The operational impact of this vulnerability extends beyond simple warning messages to potentially affect display stability and performance on affected AMD GPU systems. When the system attempts to configure displays with 14-bit color depth, the missing normalization calculation can lead to incorrect pixel clock computations, which may result in display timing issues, screen flickering, or complete display failures. This vulnerability particularly affects users running Linux systems with AMD Radeon graphics cards who attempt to utilize high-bit-depth display configurations, potentially impacting professional graphics workstations, gaming systems, or any environment requiring precise color reproduction. The warning message generation indicates that the kernel is detecting an inconsistent state in the display resource management, which could propagate into more serious system stability issues under certain load conditions or display configuration scenarios.

The resolution for CVE-2025-21956 implements a targeted fix that ensures consistent handling of the 14-bit color depth configuration by applying the same normalization approach used for other color depth values within the display subsystem. This approach aligns with established software engineering practices for maintaining consistency in mathematical operations across different code paths, particularly in graphics driver development where precision in timing calculations is critical. The fix also includes correcting indentation in the get_norm_pix_clk function, which demonstrates attention to code quality and maintainability. This vulnerability maps to CWE-457: Use of Uninitialized Variable, as the normalized pixel clock value remains unassigned for the specific color depth configuration, and potentially to CWE-691: Insufficient Control Flow Management, given the incomplete handling of display color depth conditions. From an ATT&CK framework perspective, this vulnerability could be leveraged in privilege escalation scenarios or system stability degradation attacks, particularly in environments where display functionality is critical for system operation or user interaction. The fix ensures that the display subsystem maintains consistent behavior across all supported color depth configurations, thereby reducing the attack surface and improving overall system reliability for AMD GPU users running Linux distributions.

Responsible

Linux

Reservation

12/29/2024

Disclosure

04/01/2025

Moderation

accepted

CPE

ready

EPSS

0.00199

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!