Impact
The vulnerability is a NULL pointer dereference in the kernel's DRM AMDKFD subsystem. When an ioctl requests a debug trap with a non-zero queue count but supplies a NULL array pointer, the kernel's get_queue_ids function returns NULL. The caller incorrectly treats this as a valid pointer, causing a subsequent function to dereference NULL and trigger a kernel panic. The resulting denial of service requires a system reboot to recover, potentially disrupting production workloads.
Affected Systems
All Linux kernel binaries compiled with the AMDKFD driver prior to the commit f165a82cdf503884bb1797771c61b2fcc72113d4 are affected. The vulnerability exists in any kernel version that predates this patch and does not include the defensive fix. The affected CPE identifier is cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*.
Risk and Exploitability
The exploit can be triggered from unprivileged user space by issuing a kfd_ioctl_set_debug_trap ioctl with num_queues greater than zero but a NULL queue_array_ptr. Because the kernel does not validate the pointer in this scenario, a user can directly cause a panic without special privileges. The CVSS score of 5.5 indicates moderate severity, and the EPSS score of less than one percent shows a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, meaning no publicly known exploits have been reported, but the impact on availability remains significant.
OpenCVE Enrichment