Login Sign Up

CVE-2024-50221

7.8 HIGH

📋 TL;DR

This CVE describes a kernel memory out-of-bounds write vulnerability in the AMD GPU driver for Linux systems with Vangogh architecture GPUs. The vulnerability allows writing beyond allocated memory boundaries, potentially leading to kernel crashes or arbitrary code execution. Systems using affected AMD GPUs with the vulnerable Linux kernel driver are at risk.

💻 Affected Systems

Products:
  • AMD Vangogh architecture GPUs (Steam Deck APU, custom AMD APUs)
Versions: Linux kernel versions with vulnerable AMDGPU driver (specific versions not specified in CVE, but appears to be around 6.12.0-rc4 and earlier)
Operating Systems: Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Requires AMDGPU driver with Vangogh support enabled. Systems without AMD Vangogh GPUs are not affected.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic, system crash, or potential arbitrary code execution with kernel privileges leading to complete system compromise.

🟠

Likely Case

System instability, kernel crashes, or denial of service when GPU metrics are accessed.

🟢

If Mitigated

Limited impact with proper kernel hardening and isolation, but still risk of system instability.

🌐 Internet-Facing: LOW - Requires local access or ability to trigger GPU operations through other means.
🏢 Internal Only: MEDIUM - Local users or processes with GPU access could trigger the vulnerability.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires triggering GPU metrics operations, which typically requires local access or ability to run GPU-related commands.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Linux kernel with commit 0880f58f9609f0200483a49429af0f050d281703 or later

Vendor Advisory: https://git.kernel.org/stable/c/4aa923a6e6406b43566ef6ac35a3d9a3197fa3e8

Restart Required: Yes

Instructions:

1. Update Linux kernel to version containing the fix. 2. Reboot system. 3. Verify AMDGPU driver loads without errors.

🔧 Temporary Workarounds

Disable AMDGPU driver for Vangogh

linux

Prevent loading of vulnerable AMDGPU driver module

echo 'blacklist amdgpu' >> /etc/modprobe.d/blacklist-amdgpu.conf
update-initramfs -u
reboot

🧯 If You Can't Patch

  • Restrict GPU access to trusted users only
  • Monitor system logs for KASAN reports or kernel crashes related to amdgpu

🔍 How to Verify

Check if Vulnerable:

Check kernel version and AMDGPU driver loading. Look for KASAN reports in dmesg output.

Check Version:

uname -r && dmesg | grep -i amdgpu

Verify Fix Applied:

Check that kernel version includes the fix commit. Verify no KASAN errors appear when accessing GPU metrics.

📡 Detection & Monitoring

Log Indicators:

  • KASAN: slab-out-of-bounds in smu_cmn_init_soft_gpu_metrics
  • BUG: KASAN reports in dmesg
  • Kernel panic related to amdgpu module

Network Indicators:

  • None - local vulnerability only

SIEM Query:

source="kernel" AND ("KASAN" OR "slab-out-of-bounds" OR "amdgpu" AND "panic")

📊 Metadata

CVE ID: CVE-2024-50221
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: November 9, 2024
Last Updated: December 11, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-50221, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2019-5049 10.0

This vulnerability allows an attacker to execute arbitrary code on systems with vulnerable AMD graph...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)