Impact
During a DPU runtime suspend, the driver calls dev_pm_opp_set_rate(dev, 0), which lowers the MMCX rail voltage to its minimum while the core clock stays at its original, highest rate. When the system later resumes, only the clock is re‑enabled, leaving the rail at insufficient voltage for the clock. This mismatch can cause the device to become unstable or crash, impacting system availability. The weakness is rooted in improper power‑management coordination and is documented with CWE‑367.
Affected Systems
The flaw exists in the drm/msm/dpu driver of the Linux kernel. Any Linux system includes this driver—and that has not yet incorporated the patch to remove the dev_pm_opp_set_rate call—could be subject to the instability. While the CVE does not enumerate specific kernel versions, all recent builds using DPU support should be considered potentially vulnerable until the patch is applied.
Risk and Exploitability
The EPSS score is less vulnerability is not listed in the CISA KEV catalog, indicating an extremely low exploitation probability and limited public threat activity. The CVSS score is not available in the CVE record, so we cannot quantify severity with that metric. The attack vector is local: an attacker with access to trigger a runtime suspend/resume cycle (for example, through a privileged application or trusted driver) can induce the mismatch and cause a crash. No remote or privilege‑escalation vectors are described, so the risk remains primarily a local denial‑of‑service concern.
OpenCVE Enrichment
Debian DLA