CVE-2025-37767 – A division by zero vulnerability exists in the ... (How to Fix)

Q: What is the severity of CVE-2025-37767?

CVE-2025-37767 has a CVSS score of 5.5 (MEDIUM). A division by zero vulnerability exists in the AMD GPU power management driver (drm/amd/pm) in the Linux kernel. Attackers can trigger a kernel panic or system crash by setting specific speed values. This affects Linux systems with AMD graphics hardware using vulnerable kernel versions.

📋 TL;DR

A division by zero vulnerability exists in the AMD GPU power management driver (drm/amd/pm) in the Linux kernel. Attackers can trigger a kernel panic or system crash by setting specific speed values. This affects Linux systems with AMD graphics hardware using vulnerable kernel versions.

💻 Affected Systems

Products:

Linux kernel with AMD GPU driver (drm/amd/pm)

Versions: Specific kernel versions containing the vulnerable code (check git commits for exact ranges)

Operating Systems: Linux distributions with vulnerable kernel versions

Default Config Vulnerable: ⚠️ Yes

Notes: Requires AMD GPU hardware and the affected driver module to be loaded. Systems without AMD graphics are not affected.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic leading to system crash and denial of service, potentially causing data loss or service disruption.

🟠

Likely Case

System crash or kernel panic requiring reboot, resulting in temporary denial of service.

🟢

If Mitigated

No impact if patched or if speed values are validated before reaching vulnerable code.

🌐 Internet-Facing: LOW - Requires local access or ability to influence GPU speed settings through other means.

🏢 Internal Only: MEDIUM - Local users or processes with appropriate permissions could trigger the vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires ability to set GPU speed values, typically requiring local access and appropriate permissions. No public exploits known at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Kernel versions containing the fixes from the provided git commits

Vendor Advisory: https://git.kernel.org/stable/c/327107bd7f052f4ee2d0c966c7ae879822f1814f

Restart Required: Yes

Instructions:

1. Update Linux kernel to version containing the fix. 2. Reboot system to load new kernel. 3. Verify AMD GPU driver is functioning correctly.

🔧 Temporary Workarounds

Disable AMD GPU power management

linux

Prevent loading of the vulnerable drm/amd/pm module

echo 'blacklist amdgpu' >> /etc/modprobe.d/blacklist.conf
update-initramfs -u
reboot

Restrict GPU speed setting permissions

linux

Limit access to GPU control interfaces

chmod 600 /sys/class/drm/card*/device/pp_*
chown root:root /sys/class/drm/card*/device/pp_*

🧯 If You Can't Patch

Restrict local user access to systems with vulnerable kernels
Implement strict access controls on GPU management interfaces

🔍 How to Verify

Check if Vulnerable:

Check kernel version and if AMD GPU driver is loaded: 'uname -r' and 'lsmod | grep amdgpu'

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version is updated and system remains stable when GPU operations are performed

📡 Detection & Monitoring

Log Indicators:

Kernel panic messages in /var/log/kern.log or dmesg
AMD GPU driver crash logs
System reboot events without clear cause

Network Indicators:

None - this is a local vulnerability

SIEM Query:

source="kernel" AND ("panic" OR "Oops" OR "division by zero") AND "amdgpu"

📊 Metadata

CVE ID: CVE-2025-37767

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-369

EPSS Score: 0.03% exploit probability (6.7th percentile)

Published: May 1, 2025

Last Updated: November 5, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-37767, you might also want to check these: