{ "threat_severity" : "Low", "public_date" : "2025-10-07T00:00:00Z", "bugzilla" : { "description" : "kernel: drm/amdgpu: Fix size validation for non-exclusive domains (v4)", "id" : "2402249", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2402249" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-476", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\ndrm/amdgpu: Fix size validation for non-exclusive domains (v4)\nFix amdgpu_bo_validate_size() to check whether the TTM domain manager for the\nrequested memory exists, else we get a kernel oops when dereferencing \"man\".\nv2: Make the patch standalone, i.e. not dependent on local patches.\nv3: Preserve old behaviour and just check that the manager pointer is not\nNULL.\nv4: Complain if GTT domain requested and it is uninitialized--most likely a\nbug.", "A NULL pointer dereference flaw was found in the Linux kernel's AMD GPU driver in the buffer object size validation logic. \nA local user on systems with AMD graphics hardware can trigger this issue by requesting memory allocation in non-exclusive domains when the Translation Table Manager domain manager has not been initialized. This causes the kernel to dereference a NULL pointer when validating buffer sizes, resulting in a kernel crash and denial of service." ], "statement" : "The amdgpu_bo_validate_size function attempts to validate buffer allocations by checking domain manager constraints, but fails to verify that the domain manager pointer is non-NULL before dereferencing it. When a buffer object is created with a domain configuration that lacks an initialized manager, particularly for the Graphics Translation Table domain, the code accesses the NULL manager pointer, triggering an immediate kernel oops. This occurs during graphics memory allocation operations, which any local user with access to AMD GPU devices can initiate through normal graphics API calls", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2023-11-14T00:00:00Z", "advisory" : "RHSA-2023:7077", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-513.5.1.el8_9" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-11-07T00:00:00Z", "advisory" : "RHSA-2023:6583", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-362.8.1.el9_3" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-11-07T00:00:00Z", "advisory" : "RHSA-2023:6583", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-362.8.1.el9_3" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-50527\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-50527\nhttps://lore.kernel.org/linux-cve-announce/2025100706-CVE-2022-50527-de17@gregkh/T" ], "name" : "CVE-2022-50527", "mitigation" : { "value" : "To mitigate this issue, prevent the amdgpu module from being loaded. See https://access.redhat.com/solutions/41278 for instructions on blacklisting kernel modules.", "lang" : "en:us" }, "csaw" : false }