CVE-2025-38080

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Increase block_sequence array size [Why] It's possible to generate more than 50 steps in hwss_build_fast_sequence, for example with a 6-pipe asic where all pipes are in one MPC chain. This overflows the block_sequence buffer and corrupts block_sequence_steps, causing a crash. [How] Expand block_sequence to 100 items. A naive upper bound on the possible number of steps for a 6-pipe asic, ignoring the potential for steps to be mutually exclusive, is 91 with current code, therefore 100 is sufficient.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/3a7810c212bcf2f722671dadf4b23ff70a7d23ee	Patch
https://git.kernel.org/stable/c/bf1666072e7482317cf2302621766482a21a62c7	Patch
https://git.kernel.org/stable/c/de67e80ab48f1f23663831007a2fa3c1471a7757	Patch
https://git.kernel.org/stable/c/e55c5704b12eeea27e212bfab8f7e51ad3e8ac1f	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

History

No history.

Information

Published : 2025-06-18 10:15

Updated : 2025-11-14 20:18

NVD link : CVE-2025-38080

Mitre link : CVE-2025-38080

CVE.ORG link : CVE-2025-38080

JSON object : View

Products Affected

linux

linux_kernel

CWE

NVD-CWE-noinfo

{"id": "CVE-2025-38080", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2025-06-18T10:15:41.647", "references": [{"url": "https://git.kernel.org/stable/c/3a7810c212bcf2f722671dadf4b23ff70a7d23ee", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/bf1666072e7482317cf2302621766482a21a62c7", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/de67e80ab48f1f23663831007a2fa3c1471a7757", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e55c5704b12eeea27e212bfab8f7e51ad3e8ac1f", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Increase block_sequence array size\n\n[Why]\nIt's possible to generate more than 50 steps in hwss_build_fast_sequence,\nfor example with a 6-pipe asic where all pipes are in one MPC chain. This\noverflows the block_sequence buffer and corrupts block_sequence_steps,\ncausing a crash.\n\n[How]\nExpand block_sequence to 100 items. A naive upper bound on the possible\nnumber of steps for a 6-pipe asic, ignoring the potential for steps to be\nmutually exclusive, is 91 with current code, therefore 100 is sufficient."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/amd/display: Aumentar el tama\u00f1o de la matriz block_sequence [Por qu\u00e9] Es posible generar m\u00e1s de 50 pasos en hwss_build_fast_sequence, por ejemplo, con un ASIC de 6 tuber\u00edas donde todas las tuber\u00edas est\u00e1n en una cadena MPC. Esto desborda el b\u00fafer block_sequence y corrompe block_sequence_steps, lo que provoca un fallo. [C\u00f3mo] Ampliar block_sequence a 100 elementos. Un l\u00edmite superior simple para el n\u00famero posible de pasos para un ASIC de 6 tuber\u00edas, ignorando la posibilidad de que los pasos sean mutuamente excluyentes, es 91 con el c\u00f3digo actual; por lo tanto, 100 es suficiente."}], "lastModified": "2025-11-14T20:18:20.680", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CE0D2A5C-54AB-4F39-8991-7AC94FB5B780", "versionEndExcluding": "6.6.93", "versionStartIncluding": "4.15"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1AE98841-5774-4B45-A81C-2D188DB7E5C3", "versionEndExcluding": "6.12.31", "versionStartIncluding": "6.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A9B72DD1-715C-4101-A720-1C8D70044C06", "versionEndExcluding": "6.14.9", "versionStartIncluding": "6.13"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}