CVE-2025-38254 in Linuxinfo

Summary

by MITRE • 07/09/2025

In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Add sanity checks for drm_edid_raw()

When EDID is retrieved via drm_edid_raw(), it doesn't guarantee to return proper EDID bytes the caller wants: it may be either NULL (that leads to an Oops) or with too long bytes over the fixed size raw_edid array (that may lead to memory corruption). The latter was reported actually when connected with a bad adapter.

Add sanity checks for drm_edid_raw() to address the above corner cases, and return EDID_BAD_INPUT accordingly.

(cherry picked from commit 648d3f4d209725d51900d6a3ed46b7b600140cdf)

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 05/02/2026

The vulnerability described in CVE-2025-38254 resides within the Linux kernel's display subsystem, specifically within the amdgpu driver's implementation of the drm_edid_raw() function. This function serves as a critical interface for retrieving Extended Display Identification Data from display devices, which contains essential information about display capabilities, manufacturer details, and supported video modes. The flaw manifests when the function fails to validate input parameters and output data integrity, creating potential security risks that could be exploited by malicious actors or inadvertently triggered by faulty hardware connections.

The technical implementation of this vulnerability stems from inadequate input validation within the drm_edid_raw() function, which is part of the Direct Rendering Manager framework responsible for managing display hardware resources. When retrieving EDID data, the function does not perform proper bounds checking against the fixed-size raw_edid array, leading to two distinct failure modes. The first scenario occurs when the function returns NULL instead of valid EDID data, which immediately causes a kernel oops due to dereferencing a null pointer. The second and more concerning scenario involves cases where the retrieved EDID data exceeds the predetermined buffer size, potentially causing memory corruption through buffer overflow conditions that could be leveraged for privilege escalation or system instability.

This vulnerability directly maps to CWE-121, which describes heap-based buffer overflow conditions, and CWE-125, which covers out-of-bounds read errors. The operational impact of this flaw extends beyond simple system crashes, as it represents a potential attack surface that could be exploited to gain unauthorized access to system resources or compromise the integrity of the display subsystem. The vulnerability is particularly concerning in environments where multiple display devices are connected or where hardware compatibility issues might cause malformed EDID data to be transmitted, as demonstrated by the reported case involving a bad adapter connection. Attackers could potentially craft malicious EDID data that would trigger the buffer overflow condition when processed by the kernel's display driver, leading to system compromise or denial of service conditions.

The mitigation strategy implemented in this fix involves adding comprehensive sanity checks to the drm_edid_raw() function to validate both input parameters and output data before processing. The solution returns EDID_BAD_INPUT when the function encounters invalid EDID data, preventing the kernel from attempting to process malformed data that could lead to system crashes or memory corruption. This approach aligns with the principle of least privilege and defensive programming practices, ensuring that the kernel's display subsystem maintains stability even when encountering unexpected or malformed input data from display devices. The fix also demonstrates adherence to the ATT&CK framework's T1068 technique related to exploit for privilege escalation, as it prevents potential exploitation of memory corruption vulnerabilities that could be used to elevate privileges within the kernel space. The cherry-picked commit from the mainline kernel ensures that this security fix is properly integrated into the existing codebase while maintaining backward compatibility with existing display hardware configurations.

Responsible

Linux

Reservation

04/16/2025

Disclosure

07/09/2025

Moderation

accepted

CPE

ready

EPSS

0.00120

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!