CVE-2025-37768 in Linuxinfo

Summary

by MITRE • 05/01/2025

In the Linux kernel, the following vulnerability has been resolved:

drm/amd/pm: Prevent division by zero

The user can set any speed value. If speed is greater than UINT_MAX/8, division by zero is possible.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 03/16/2026

The vulnerability identified as CVE-2025-37768 resides within the Linux kernel's drm/amd/pm subsystem, specifically addressing a critical division by zero condition that could potentially compromise system stability and security. This issue affects the AMD power management implementation within the Direct Rendering Manager framework, which handles graphics hardware power states and performance monitoring. The flaw manifests when user-space applications can manipulate speed values through various interfaces, creating a scenario where arbitrary input values can lead to mathematical overflow conditions. The vulnerability was discovered through systematic analysis by the Linux Verification Center, utilizing the SVACE verification toolset that employs formal methods to detect potential runtime errors and undefined behaviors in kernel code. The specific condition occurs when a speed parameter exceeds the threshold of UINT_MAX divided by eight, triggering a mathematical operation that results in division by zero.

The technical implementation of this vulnerability stems from inadequate input validation within the AMD power management code path. When user-space applications provide speed values that surpass the calculated threshold, the kernel's power management routines attempt to perform arithmetic operations that result in division by zero. This mathematical error occurs because the code does not properly validate the upper bounds of input parameters before executing operations that could lead to such catastrophic conditions. The flaw represents a classic example of improper input validation and arithmetic overflow handling, where the system fails to account for the maximum representable values of the underlying data types. According to CWE classification, this vulnerability maps to CWE-369: Divide by Zero, which specifically addresses the scenario where a program attempts to divide by zero, leading to potential system crashes or unpredictable behavior. The issue also aligns with ATT&CK technique T1499.004: Endpoint Denial of Service, as it can be exploited to cause system instability through controlled input manipulation.

The operational impact of this vulnerability extends beyond simple system crashes, as it represents a potential vector for denial of service attacks that could affect graphics-intensive applications and systems relying on AMD hardware power management. When triggered, the division by zero condition can cause the kernel to panic, resulting in system-wide disruption of graphics services and potentially requiring manual system reboot. This vulnerability affects systems running Linux kernels with AMD graphics hardware and power management features, particularly those that allow user-space applications to configure performance parameters. The attack surface is broadened by the fact that multiple interfaces within the drm/amd/pm subsystem can accept user-provided speed values, making exploitation relatively straightforward for attackers who understand the kernel's power management APIs. The vulnerability demonstrates the critical importance of input validation in kernel space operations, where malformed data can lead to complete system compromise rather than just application-level failures. Systems utilizing AMD graphics cards in enterprise environments, gaming platforms, or any scenario requiring dynamic power management are particularly at risk, as the vulnerability can be exploited through legitimate user-space interfaces without requiring elevated privileges.

Mitigation strategies for CVE-2025-37768 should focus on implementing proper input validation within the kernel code to prevent speed values from exceeding safe mathematical bounds before arithmetic operations are performed. The recommended approach involves adding boundary checks that ensure speed parameters remain within acceptable ranges, specifically preventing values that would cause overflow conditions in subsequent calculations. Kernel updates incorporating the fix should be prioritized, as the patch typically involves adding explicit validation logic that prevents the problematic division operation from occurring. System administrators should monitor for kernel updates from their distribution vendors and apply patches promptly to address this vulnerability. Additional protective measures include implementing proper access controls to limit which user-space applications can modify power management parameters, as well as monitoring for unusual patterns in graphics subsystem behavior that might indicate exploitation attempts. The fix aligns with security best practices for kernel development, emphasizing the need for robust input validation and error handling in privileged code paths. Organizations should also consider implementing intrusion detection systems that monitor for abnormal kernel behavior patterns that could indicate attempted exploitation of similar arithmetic overflow vulnerabilities. Regular security assessments of kernel components, particularly those handling hardware-specific power management features, should be conducted to identify and remediate similar issues before they can be exploited in production environments.

Responsible

Linux

Reservation

04/16/2025

Disclosure

05/01/2025

Moderation

accepted

CPE

ready

EPSS

0.00171

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!