Impact
This vulnerability is a memory leak in the Linux kernel’s amd‑pstate driver. When the function amd_pstate_epp_cpu_init() fails to set the Engine Power Profile, it allocates a cpudata structure but does not release it before returning an error. Over repeated failures the unfreed kernel memory can accumulate, potentially exhausting system memory, degrading performance, or even triggering a kernel panic. The official description states this leakage but does not describe an immediate denial of service; the effect is inferred as it could eventually lead to instability.
Affected Systems
All Linux kernel images that contain the amd‑pstate driver code before the commit that implements the free operation are potentially affected. Because no specific version ranges are published, any distribution using a kernel that predates the fix may be vulnerable. Administrators should verify whether their kernel contains the vulnerable code path by checking for the commit hash indicated in the references.
Risk and Exploitability
The CVSS score is 5.5, the EPSS score is < 1%, and KEV is not listed. Exploitation would require use of the EPP interface, but the privilege level needed is not specified in the input; it is inferred that modifying the EPP likely requires elevated privileges such as root or a capability that allows writing to sysfs entries. Coupled with the lack of a remote exploitation vector, the primary risk lies in local or privileged attackers repeatedly invoking the failing path, which could lead to memory exhaustion.
OpenCVE Enrichment