CVE-2025-37770 in Linux
Summary
by MITRE • 05/01/2025
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/pm: Prevent division by zero
The user can set any speed value. If speed is greater than UINT_MAX/8, division by zero is possible.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 01/31/2026
The vulnerability CVE-2025-37770 resides within the AMD power management subsystem of the Linux kernel, specifically within the direct rendering manager drm/amd/pm module. This issue represents a critical division by zero condition that can be triggered through improper input validation during power management operations. The flaw manifests when user-space applications or system components set speed values that exceed the maximum safe threshold, creating a scenario where arithmetic operations become undefined and potentially exploitable. The vulnerability was identified through systematic analysis by the Linux Verification Center, utilizing SVACE static verification tools that specialize in detecting mathematical and arithmetic errors in kernel code.
The technical implementation of this vulnerability stems from insufficient boundary checking within the power management control logic where speed parameters are processed without proper validation against overflow conditions. When a speed value exceeds the maximum representable value divided by eight, the arithmetic operation that calculates power management metrics results in a division by zero error. This condition violates fundamental mathematical principles and can cause kernel panic or system instability. The vulnerability maps directly to CWE-369, which specifically addresses division by zero errors in software systems. The flaw demonstrates poor input validation practices where the system fails to account for the mathematical limits of integer arithmetic operations, particularly when dealing with unsigned integer types that have defined maximum values.
The operational impact of this vulnerability extends beyond simple system crashes to potentially enable denial of service conditions that could compromise system availability. In a production environment, this vulnerability could be exploited by malicious actors to cause system-wide disruptions through carefully crafted power management commands. The consequences are particularly severe in embedded systems or server environments where continuous operation is critical. Attackers could leverage this condition to repeatedly trigger kernel panics, effectively rendering systems unusable until manual intervention occurs. The vulnerability also aligns with ATT&CK technique T1499.004, which involves network denial of service attacks through system resource exhaustion or corruption, as the division by zero condition can be used to destabilize system resources.
Mitigation strategies for this vulnerability should focus on implementing robust input validation at multiple layers within the power management subsystem. The immediate fix requires adding boundary checks before any arithmetic operations that could result in division by zero conditions, ensuring that speed values are validated against the maximum safe integer limits. System administrators should apply the latest kernel updates that contain the patched drm/amd/pm module, as the fix typically involves adding conditional checks that prevent values from exceeding the threshold that would cause overflow. Additionally, monitoring systems should be enhanced to detect anomalous power management operations that might indicate exploitation attempts. The fix should also incorporate proper error handling that gracefully manages invalid inputs rather than allowing them to propagate to critical arithmetic operations, thereby preventing the system from entering unstable states.