CVE-2025-37903: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix slab-use-after-free in hdcp The HDCP code in amdgpu_dm_hdcp.c copies pointers to amdgpu_dm_connector objects without incrementing the kref reference counts. When using a USB-C dock, and the dock is unplugged, the corresponding amdgpu_dm_connector objects are freed, creating dangling pointers in the HDCP code. When the dock is plugged back, the dangling pointers are dereferenced, resulting in a slab-use-after-free: [ 66.775837] BUG: KASAN: slab-use-after-free in event_property_validate+0x42f/0x6c0 [amdgpu] [ 66.776171] Read of size 4 at addr ffff888127804120 by task kworker/0:1/10 [ 66.776179] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.14.0-rc7-00180-g54505f727a38-dirty #233 [ 66.776183] Hardware name: HP HP Pavilion Aero Laptop 13-be0xxx/8916, BIOS F.17 12/18/2024 [ 66.776186] Workqueue: events event_property_validate [amdgpu] [ 66.776494] Call Trace: [ 66.776496] <TASK> [ 66.776497] dump_stack_lvl+0x70/0xa0 [ 66.776504] print_report+0x175/0x555 [ 66.776507] ? __virt_addr_valid+0x243/0x450 [ 66.776510] ? kasan_complete_mode_report_info+0x66/0x1c0 [ 66.776515] kasan_report+0xeb/0x1c0 [ 66.776518] ? event_property_validate+0x42f/0x6c0 [amdgpu] [ 66.776819] ? event_property_validate+0x42f/0x6c0 [amdgpu] [ 66.777121] __asan_report_load4_noabort+0x14/0x20 [ 66.777124] event_property_validate+0x42f/0x6c0 [amdgpu] [ 66.777342] ? __lock_acquire+0x6b40/0x6b40 [ 66.777347] ? enable_assr+0x250/0x250 [amdgpu] [ 66.777571] process_one_work+0x86b/0x1510 [ 66.777575] ? pwq_dec_nr_in_flight+0xcf0/0xcf0 [ 66.777578] ? assign_work+0x16b/0x280 [ 66.777580] ? lock_is_held_type+0xa3/0x130 [ 66.777583] worker_thread+0x5c0/0xfa0 [ 66.777587] ? process_one_work+0x1510/0x1510 [ 66.777588] kthread+0x3a2/0x840 [ 66.777591] ? kthread_is_per_cpu+0xd0/0xd0 [ 66.777594] ? trace_hardirqs_on+0x4f/0x60 [ 66.777597] ? _raw_spin_unlock_irq+0x27/0x60 [ 66.777599] ? calculate_sigpending+0x77/0xa0 [ 66.777602] ? kthread_is_per_cpu+0xd0/0xd0 [ 66.777605] ret_from_fork+0x40/0x90 [ 66.777607] ? kthread_is_per_cpu+0xd0/0xd0 [ 66.777609] ret_from_fork_asm+0x11/0x20 [ 66.777614] </TASK> [ 66.777643] Allocated by task 10: [ 66.777646] kasan_save_stack+0x39/0x60 [ 66.777649] kasan_save_track+0x14/0x40 [ 66.777652] kasan_save_alloc_info+0x37/0x50 [ 66.777655] __kasan_kmalloc+0xbb/0xc0 [ 66.777658] __kmalloc_cache_noprof+0x1c8/0x4b0 [ 66.777661] dm_dp_add_mst_connector+0xdd/0x5c0 [amdgpu] [ 66.777880] drm_dp_mst_port_add_connector+0x47e/0x770 [drm_display_helper] [ 66.777892] drm_dp_send_link_address+0x1554/0x2bf0 [drm_display_helper] [ 66.777901] drm_dp_check_and_send_link_address+0x187/0x1f0 [drm_display_helper] [ 66.777909] drm_dp_mst_link_probe_work+0x2b8/0x410 [drm_display_helper] [ 66.777917] process_one_work+0x86b/0x1510 [ 66.777919] worker_thread+0x5c0/0xfa0 [ 66.777922] kthread+0x3a2/0x840 [ 66.777925] ret_from_fork+0x40/0x90 [ 66.777927] ret_from_fork_asm+0x11/0x20 [ 66.777932] Freed by task 1713: [ 66.777935] kasan_save_stack+0x39/0x60 [ 66.777938] kasan_save_track+0x14/0x40 [ 66.777940] kasan_save_free_info+0x3b/0x60 [ 66.777944] __kasan_slab_free+0x52/0x70 [ 66.777946] kfree+0x13f/0x4b0 [ 66.777949] dm_dp_mst_connector_destroy+0xfa/0x150 [amdgpu] [ 66.778179] drm_connector_free+0x7d/0xb0 [ 66.778184] drm_mode_object_put.part.0+0xee/0x160 [ 66.778188] drm_mode_object_put+0x37/0x50 [ 66.778191] drm_atomic_state_default_clear+0x220/0xd60 [ 66.778194] __drm_atomic_state_free+0x16e/0x2a0 [ 66.778197] drm_mode_atomic_ioctl+0x15ed/0x2ba0 [ 66.778200] drm_ioctl_kernel+0x17a/0x310 [ 66.778203] drm_ioctl+0x584/0xd10 [ 66.778206] amdgpu_drm_ioctl+0xd2/0x1c0 [amdgpu] [ 66.778375] __x64_sys_ioctl+0x139/0x1a0 [ 66.778378] x64_sys_call+0xee7/0xfb0 [ 66.778381] ---truncated---
AI Analysis
Technical Summary
CVE-2025-37903 is a use-after-free vulnerability in the Linux kernel's AMD GPU driver, specifically within the HDCP (High-bandwidth Digital Content Protection) code in the amdgpu_dm_hdcp.c module. The vulnerability arises because the HDCP code copies pointers to amdgpu_dm_connector objects without incrementing their kernel reference counts (kref). When a USB-C dock is unplugged, the associated amdgpu_dm_connector objects are freed, but the HDCP code retains dangling pointers to these now-freed objects. Upon re-plugging the dock, these stale pointers are dereferenced, leading to a slab-use-after-free condition. This flaw can cause kernel memory corruption, crashes, or potentially arbitrary code execution within the kernel context. The kernel's Kernel Address Sanitizer (KASAN) detects this issue as a slab-use-after-free error during event_property_validate execution in the amdgpu driver. The vulnerability affects Linux kernel versions containing the amdgpu driver with the described HDCP implementation and is triggered by USB-C dock plug/unplug events. The root cause is improper reference counting of kernel objects, a critical memory management error in kernel space. Although no known exploits are reported in the wild yet, the vulnerability is serious due to its potential to destabilize the kernel or enable privilege escalation. The issue was publicly disclosed on May 20, 2025, without an assigned CVSS score. The vulnerability is specific to systems using AMD GPU hardware with the affected Linux kernel driver and USB-C docks, which are common in modern laptops and workstations.
Potential Impact
For European organizations, this vulnerability poses a significant risk especially to enterprises and institutions relying on Linux-based systems with AMD GPUs, such as development environments, data centers, and workstations using USB-C docks for multi-monitor setups. Exploitation could lead to kernel crashes causing denial of service, impacting availability of critical systems. More critically, the use-after-free could be leveraged by attackers to execute arbitrary code with kernel privileges, potentially leading to full system compromise, data breaches, or lateral movement within networks. This is particularly concerning for sectors with high security requirements such as finance, healthcare, government, and critical infrastructure in Europe. The vulnerability could disrupt business operations and compromise sensitive data if exploited. Since the flaw is triggered by hardware events (dock unplug/plug), it may be exploited locally or via malicious peripherals, increasing the attack surface in office environments. The lack of known exploits currently reduces immediate risk, but the vulnerability's nature demands prompt attention to prevent future exploitation.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions where this vulnerability is patched. Since the issue stems from improper reference counting in the amdgpu driver, applying the official kernel patches or upgrading to the latest stable kernel release that includes the fix is essential. Organizations should audit their hardware inventory to identify systems using AMD GPUs with USB-C docks and prioritize patching those systems. Additionally, implementing strict device control policies to limit unauthorized USB-C dock usage can reduce exposure. Monitoring kernel logs for KASAN slab-use-after-free errors related to amdgpu can help detect attempts to trigger the vulnerability. For environments where immediate patching is not feasible, temporarily disabling USB-C dock support or restricting hot-plug events via kernel parameters or udev rules may mitigate risk. Security teams should also ensure robust endpoint detection and response (EDR) solutions are in place to detect anomalous kernel behavior. Finally, educating users about the risks of connecting untrusted USB-C peripherals can help reduce attack vectors.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain, Belgium
CVE-2025-37903: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix slab-use-after-free in hdcp The HDCP code in amdgpu_dm_hdcp.c copies pointers to amdgpu_dm_connector objects without incrementing the kref reference counts. When using a USB-C dock, and the dock is unplugged, the corresponding amdgpu_dm_connector objects are freed, creating dangling pointers in the HDCP code. When the dock is plugged back, the dangling pointers are dereferenced, resulting in a slab-use-after-free: [ 66.775837] BUG: KASAN: slab-use-after-free in event_property_validate+0x42f/0x6c0 [amdgpu] [ 66.776171] Read of size 4 at addr ffff888127804120 by task kworker/0:1/10 [ 66.776179] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.14.0-rc7-00180-g54505f727a38-dirty #233 [ 66.776183] Hardware name: HP HP Pavilion Aero Laptop 13-be0xxx/8916, BIOS F.17 12/18/2024 [ 66.776186] Workqueue: events event_property_validate [amdgpu] [ 66.776494] Call Trace: [ 66.776496] <TASK> [ 66.776497] dump_stack_lvl+0x70/0xa0 [ 66.776504] print_report+0x175/0x555 [ 66.776507] ? __virt_addr_valid+0x243/0x450 [ 66.776510] ? kasan_complete_mode_report_info+0x66/0x1c0 [ 66.776515] kasan_report+0xeb/0x1c0 [ 66.776518] ? event_property_validate+0x42f/0x6c0 [amdgpu] [ 66.776819] ? event_property_validate+0x42f/0x6c0 [amdgpu] [ 66.777121] __asan_report_load4_noabort+0x14/0x20 [ 66.777124] event_property_validate+0x42f/0x6c0 [amdgpu] [ 66.777342] ? __lock_acquire+0x6b40/0x6b40 [ 66.777347] ? enable_assr+0x250/0x250 [amdgpu] [ 66.777571] process_one_work+0x86b/0x1510 [ 66.777575] ? pwq_dec_nr_in_flight+0xcf0/0xcf0 [ 66.777578] ? assign_work+0x16b/0x280 [ 66.777580] ? lock_is_held_type+0xa3/0x130 [ 66.777583] worker_thread+0x5c0/0xfa0 [ 66.777587] ? process_one_work+0x1510/0x1510 [ 66.777588] kthread+0x3a2/0x840 [ 66.777591] ? kthread_is_per_cpu+0xd0/0xd0 [ 66.777594] ? trace_hardirqs_on+0x4f/0x60 [ 66.777597] ? _raw_spin_unlock_irq+0x27/0x60 [ 66.777599] ? calculate_sigpending+0x77/0xa0 [ 66.777602] ? kthread_is_per_cpu+0xd0/0xd0 [ 66.777605] ret_from_fork+0x40/0x90 [ 66.777607] ? kthread_is_per_cpu+0xd0/0xd0 [ 66.777609] ret_from_fork_asm+0x11/0x20 [ 66.777614] </TASK> [ 66.777643] Allocated by task 10: [ 66.777646] kasan_save_stack+0x39/0x60 [ 66.777649] kasan_save_track+0x14/0x40 [ 66.777652] kasan_save_alloc_info+0x37/0x50 [ 66.777655] __kasan_kmalloc+0xbb/0xc0 [ 66.777658] __kmalloc_cache_noprof+0x1c8/0x4b0 [ 66.777661] dm_dp_add_mst_connector+0xdd/0x5c0 [amdgpu] [ 66.777880] drm_dp_mst_port_add_connector+0x47e/0x770 [drm_display_helper] [ 66.777892] drm_dp_send_link_address+0x1554/0x2bf0 [drm_display_helper] [ 66.777901] drm_dp_check_and_send_link_address+0x187/0x1f0 [drm_display_helper] [ 66.777909] drm_dp_mst_link_probe_work+0x2b8/0x410 [drm_display_helper] [ 66.777917] process_one_work+0x86b/0x1510 [ 66.777919] worker_thread+0x5c0/0xfa0 [ 66.777922] kthread+0x3a2/0x840 [ 66.777925] ret_from_fork+0x40/0x90 [ 66.777927] ret_from_fork_asm+0x11/0x20 [ 66.777932] Freed by task 1713: [ 66.777935] kasan_save_stack+0x39/0x60 [ 66.777938] kasan_save_track+0x14/0x40 [ 66.777940] kasan_save_free_info+0x3b/0x60 [ 66.777944] __kasan_slab_free+0x52/0x70 [ 66.777946] kfree+0x13f/0x4b0 [ 66.777949] dm_dp_mst_connector_destroy+0xfa/0x150 [amdgpu] [ 66.778179] drm_connector_free+0x7d/0xb0 [ 66.778184] drm_mode_object_put.part.0+0xee/0x160 [ 66.778188] drm_mode_object_put+0x37/0x50 [ 66.778191] drm_atomic_state_default_clear+0x220/0xd60 [ 66.778194] __drm_atomic_state_free+0x16e/0x2a0 [ 66.778197] drm_mode_atomic_ioctl+0x15ed/0x2ba0 [ 66.778200] drm_ioctl_kernel+0x17a/0x310 [ 66.778203] drm_ioctl+0x584/0xd10 [ 66.778206] amdgpu_drm_ioctl+0xd2/0x1c0 [amdgpu] [ 66.778375] __x64_sys_ioctl+0x139/0x1a0 [ 66.778378] x64_sys_call+0xee7/0xfb0 [ 66.778381] ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2025-37903 is a use-after-free vulnerability in the Linux kernel's AMD GPU driver, specifically within the HDCP (High-bandwidth Digital Content Protection) code in the amdgpu_dm_hdcp.c module. The vulnerability arises because the HDCP code copies pointers to amdgpu_dm_connector objects without incrementing their kernel reference counts (kref). When a USB-C dock is unplugged, the associated amdgpu_dm_connector objects are freed, but the HDCP code retains dangling pointers to these now-freed objects. Upon re-plugging the dock, these stale pointers are dereferenced, leading to a slab-use-after-free condition. This flaw can cause kernel memory corruption, crashes, or potentially arbitrary code execution within the kernel context. The kernel's Kernel Address Sanitizer (KASAN) detects this issue as a slab-use-after-free error during event_property_validate execution in the amdgpu driver. The vulnerability affects Linux kernel versions containing the amdgpu driver with the described HDCP implementation and is triggered by USB-C dock plug/unplug events. The root cause is improper reference counting of kernel objects, a critical memory management error in kernel space. Although no known exploits are reported in the wild yet, the vulnerability is serious due to its potential to destabilize the kernel or enable privilege escalation. The issue was publicly disclosed on May 20, 2025, without an assigned CVSS score. The vulnerability is specific to systems using AMD GPU hardware with the affected Linux kernel driver and USB-C docks, which are common in modern laptops and workstations.
Potential Impact
For European organizations, this vulnerability poses a significant risk especially to enterprises and institutions relying on Linux-based systems with AMD GPUs, such as development environments, data centers, and workstations using USB-C docks for multi-monitor setups. Exploitation could lead to kernel crashes causing denial of service, impacting availability of critical systems. More critically, the use-after-free could be leveraged by attackers to execute arbitrary code with kernel privileges, potentially leading to full system compromise, data breaches, or lateral movement within networks. This is particularly concerning for sectors with high security requirements such as finance, healthcare, government, and critical infrastructure in Europe. The vulnerability could disrupt business operations and compromise sensitive data if exploited. Since the flaw is triggered by hardware events (dock unplug/plug), it may be exploited locally or via malicious peripherals, increasing the attack surface in office environments. The lack of known exploits currently reduces immediate risk, but the vulnerability's nature demands prompt attention to prevent future exploitation.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions where this vulnerability is patched. Since the issue stems from improper reference counting in the amdgpu driver, applying the official kernel patches or upgrading to the latest stable kernel release that includes the fix is essential. Organizations should audit their hardware inventory to identify systems using AMD GPUs with USB-C docks and prioritize patching those systems. Additionally, implementing strict device control policies to limit unauthorized USB-C dock usage can reduce exposure. Monitoring kernel logs for KASAN slab-use-after-free errors related to amdgpu can help detect attempts to trigger the vulnerability. For environments where immediate patching is not feasible, temporarily disabling USB-C dock support or restricting hot-plug events via kernel parameters or udev rules may mitigate risk. Security teams should also ensure robust endpoint detection and response (EDR) solutions are in place to detect anomalous kernel behavior. Finally, educating users about the risks of connecting untrusted USB-C peripherals can help reduce attack vectors.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-04-16T04:51:23.965Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682cd0f71484d88663aeaf52
Added to database: 5/20/2025, 6:59:03 PM
Last enriched: 7/4/2025, 1:25:10 AM
Last updated: 8/14/2025, 9:41:31 PM
Views: 23
Related Threats
CVE-2025-9174: OS Command Injection in neurobin shc
MediumCVE-2025-9171: Cross Site Scripting in SolidInvoice
MediumCVE-2025-9170: Cross Site Scripting in SolidInvoice
MediumCVE-2025-9169: Cross Site Scripting in SolidInvoice
MediumCVE-2025-9168: Cross Site Scripting in SolidInvoice
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.