CVE-2021-47362 is a vulnerability identified in the Linux kernel, specifically within the Direct Rendering Manager (DRM) AMD power management (pm) subsystem. The flaw arises during the initialization of dynamic power management (dpm) states for AMD GPUs. The vulnerability is due to improper handling of the 'current state' variable during power state transitions. Initially, the current state is updated as the boot state during dpm initialization. However, during subsequent initialization phases, the function set_power_state is called to transition the GPU to its final power state. This function relies on the current state being properly populated. If the current state is not correctly set, set_power_state may dereference a NULL pointer, leading to a kernel NULL pointer dereference. This can cause system instability or crashes (kernel panic). The issue is particularly relevant on platforms where PCIe link speed changes are managed via the ACPI ATCS method. The logic to query ATCS support was broken on certain platforms, and when this logic was fixed in a related commit (f9b7f3703ff9), the vulnerability became apparent. The flaw is subtle and tied to the interaction between power management states and ACPI methods controlling PCIe link speeds. No known exploits are currently reported in the wild. The vulnerability affects Linux kernel versions identified by the commit hash 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2, indicating a specific code revision. The issue was publicly disclosed on May 21, 2024, but no CVSS score has been assigned yet. The flaw can lead to denial of service via kernel crashes due to NULL pointer dereference during GPU power state transitions.

For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with AMD GPUs that utilize the affected DRM power management code. The impact is mainly denial of service through kernel crashes, which can disrupt critical services, especially in environments relying on Linux servers or workstations with AMD graphics hardware. This could affect data centers, cloud providers, research institutions, and enterprises using Linux-based infrastructure. While the vulnerability does not appear to allow privilege escalation or remote code execution directly, the resulting system instability can lead to downtime, loss of productivity, and potential cascading failures in dependent services. Organizations with high availability requirements or those running GPU-accelerated workloads (e.g., scientific computing, AI/ML, graphics rendering) may experience significant operational impact. Since the issue is tied to power management and PCIe link speed changes, it might also affect hardware reliability and performance, further complicating system stability. The lack of known exploits reduces immediate risk, but the vulnerability should be addressed promptly to prevent potential future exploitation or accidental system failures.

To mitigate this vulnerability, European organizations should: 1) Apply the latest Linux kernel updates that include the fix for CVE-2021-47362 as soon as they become available from their Linux distribution vendors. 2) For environments using custom or upstream kernels, incorporate the relevant patch that corrects the initialization of the current power state in the AMD DRM subsystem. 3) Conduct thorough testing of kernel updates in staging environments, especially on systems with AMD GPUs and ACPI ATCS support, to ensure stability before production deployment. 4) Monitor system logs for kernel oops or panics related to drm/amdgpu power management to detect potential exploitation or instability. 5) Limit access to systems with affected kernels to trusted users and networks to reduce the risk of accidental triggering or exploitation. 6) Consider disabling PCIe link speed changes via ACPI ATCS if feasible and if it does not impact critical functionality, as a temporary workaround until patches are applied. 7) Maintain up-to-date hardware firmware and BIOS, as some power management interactions depend on firmware behavior. 8) Engage with Linux distribution security advisories and AMD support channels for ongoing updates and guidance.