CVE-2025-37767 in Linuxinfo

Summary

by MITRE • 05/01/2025

In the Linux kernel, the following vulnerability has been resolved:

drm/amd/pm: Prevent division by zero

The user can set any speed value. If speed is greater than UINT_MAX/8, division by zero is possible.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 11/07/2025

The vulnerability identified as CVE-2025-37767 resides within the AMD power management subsystem of the Linux kernel, specifically within the direct rendering manager drm/amd/pm component. This flaw represents a critical division by zero error that can be triggered through improper input validation of speed parameters within the power management framework. The vulnerability was discovered through systematic analysis by the Linux Verification Center utilizing SVACE verification tools, highlighting the importance of formal verification in kernel security. The issue manifests when user-space applications or system components attempt to configure power management parameters with excessively large speed values, creating a scenario where mathematical operations can result in undefined behavior.

The technical root cause of this vulnerability stems from insufficient input validation within the AMD power management code path. When a user sets a speed value that exceeds the threshold of UINT_MAX divided by eight, the code executes a division operation that results in a zero denominator, causing immediate system instability. This type of arithmetic overflow vulnerability falls under the CWE-369 weakness category, specifically representing a division by zero condition that can lead to system crashes or potential privilege escalation. The flaw demonstrates poor defensive programming practices where boundary checks are inadequate to prevent mathematical operations from producing invalid results. The vulnerability exists in the kernel's power management interface where user-provided parameters are not properly sanitized before being used in arithmetic calculations.

The operational impact of CVE-2025-37767 extends beyond simple system crashes to potentially enable more severe security implications within the kernel's power management subsystem. When triggered, this vulnerability can cause the entire graphics subsystem to become unresponsive, leading to system hangs or forced reboots that disrupt normal operations. In environments where automated power management is critical, such as data centers or embedded systems, this vulnerability could result in significant service interruptions and potential denial of service conditions. The ATT&CK framework categorizes this as a system stability compromise technique that can be leveraged by attackers to disrupt normal system operations or potentially create conditions for further exploitation. The vulnerability affects systems running Linux kernels with AMD graphics hardware and power management features, making it particularly relevant for enterprise environments and cloud infrastructure that utilize AMD GPUs.

Mitigation strategies for this vulnerability should focus on immediate kernel updates from trusted sources that contain the patched code addressing the division by zero condition. The fix typically involves implementing proper boundary checks before any mathematical operations are performed, ensuring that speed values are validated against maximum thresholds before being processed. System administrators should prioritize applying security patches to all affected systems, particularly those running AMD graphics hardware in production environments. Additional defensive measures include monitoring system logs for unusual power management activity and implementing runtime checks that can detect and prevent invalid parameter values from reaching the vulnerable code paths. Organizations should also consider implementing kernel module hardening techniques and maintaining up-to-date security monitoring systems to detect potential exploitation attempts. The vulnerability serves as a reminder of the critical importance of input validation in kernel space operations and the necessity of formal verification techniques in identifying mathematical error conditions that could lead to system instability or security breaches.

Responsible

Linux

Reservation

04/16/2025

Disclosure

05/01/2025

Moderation

accepted

CPE

ready

EPSS

0.00168

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!