CVE-2025-37771 in Linuxinfo

Summary

by MITRE • 05/01/2025

In the Linux kernel, the following vulnerability has been resolved:

drm/amd/pm: Prevent division by zero

The user can set any speed value. If speed is greater than UINT_MAX/8, division by zero is possible.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 11/07/2025

The vulnerability identified as CVE-2025-37771 resides within the drm/amd/pm subsystem of the Linux kernel, specifically addressing a critical division by zero condition that could lead to system instability and potential denial of service. This flaw exists in the power management component responsible for handling graphics processing unit speed settings within AMD hardware configurations. The vulnerability was discovered through systematic analysis by the Linux Verification Center, utilizing the SVACE verification tool, highlighting the importance of automated security validation in kernel development environments.

The technical implementation of this vulnerability stems from insufficient input validation within the power management code path where user-provided speed values are processed without proper boundary checks. When a user or application sets a speed value that exceeds the maximum threshold of UINT_MAX divided by eight, the system attempts to perform a division operation that results in zero, causing an arithmetic exception. This particular mathematical boundary condition creates a scenario where the kernel's power management routines can no longer function correctly, potentially leading to system crashes or lockups. The vulnerability represents a classic example of improper input validation and integer overflow conditions that can be exploited to disrupt system operations.

The operational impact of this vulnerability extends beyond simple system instability, as it affects the reliability of graphics processing units within Linux environments. When triggered, the division by zero condition can cause the kernel to panic or terminate the power management thread, which may result in the complete unavailability of graphics processing capabilities for the affected system. This condition particularly impacts systems running AMD graphics hardware where the drm/amd/pm driver is actively managing power states and performance levels. The vulnerability could be exploited by malicious users or applications that intentionally set extreme speed parameters to cause system disruptions, making it a significant concern for production environments where system stability is paramount.

Mitigation strategies for CVE-2025-37771 should focus on implementing proper input validation and boundary checking within the affected kernel subsystem. The most effective approach involves adding explicit checks to verify that speed values do not exceed safe thresholds before any mathematical operations are performed. This solution aligns with CWE-191, which addresses integer underflow and overflow conditions, and CWE-369, which covers division by zero errors. Security practitioners should also consider applying kernel updates that contain the patched implementation, as the fix typically involves adding defensive programming measures such as conditional checks and proper error handling routines. Additionally, system administrators should monitor for unusual power management activities and implement logging mechanisms to detect potential exploitation attempts. The fix should be implemented following the ATT&CK framework's principle of defense in depth, ensuring that multiple layers of protection are in place to prevent exploitation of similar integer arithmetic vulnerabilities.

Responsible

Linux

Reservation

04/16/2025

Disclosure

05/01/2025

Moderation

accepted

CPE

ready

EPSS

0.00168

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!