CVE-2025-37771 – A division by zero vulnerability exists in the ... (How to Fix)

Q: What is the severity of CVE-2025-37771?

CVE-2025-37771 has a CVSS score of 5.5 (MEDIUM). A division by zero vulnerability exists in the AMD GPU power management driver (drm/amd/pm) in the Linux kernel. This occurs when users set speed values greater than UINT_MAX/8, potentially causing kernel crashes or denial of service. Systems with AMD GPUs running vulnerable Linux kernel versions are affected.

📋 TL;DR

A division by zero vulnerability exists in the AMD GPU power management driver (drm/amd/pm) in the Linux kernel. This occurs when users set speed values greater than UINT_MAX/8, potentially causing kernel crashes or denial of service. Systems with AMD GPUs running vulnerable Linux kernel versions are affected.

💻 Affected Systems

Products:

Linux kernel with AMD GPU driver (drm/amd/pm)

Versions: Specific vulnerable kernel versions not explicitly stated; check commit references for affected releases.

Operating Systems: Linux distributions with vulnerable kernel versions

Default Config Vulnerable: ⚠️ Yes

Notes: Requires AMD GPU hardware and the ability to set GPU speed parameters through the driver.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic leading to system crash and denial of service, requiring physical or remote reboot.

🟠

Likely Case

System instability, GPU driver crashes, or application failures when specific speed values are set.

🟢

If Mitigated

Minor performance impact from patched validation checks, with no security impact.

🌐 Internet-Facing: LOW - Requires local access or specific GPU management interfaces to trigger.

🏢 Internal Only: MEDIUM - Local users or processes with GPU access could cause system instability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local access and ability to set specific GPU speed values; not trivial but feasible for knowledgeable users.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Kernel versions containing commits: 402964994e8e, 509617407411, 6413fed01620, 7d641c2b8327, b7c41df49137

Vendor Advisory: https://git.kernel.org/stable/c/402964994e8ece29702383b234fabcf04791ff95

Restart Required: Yes

Instructions:

1. Update Linux kernel to a version containing the fix commits. 2. Reboot system to load new kernel. 3. Verify GPU driver functionality post-update.

🔧 Temporary Workarounds

Restrict GPU speed setting access

linux

Limit user permissions to modify GPU speed parameters via system permissions or SELinux/AppArmor policies.

chmod 600 /sys/class/drm/card*/device/pp_dpm_sclk
chmod 600 /sys/class/drm/card*/device/pp_dpm_mclk

🧯 If You Can't Patch

Implement strict access controls to prevent unauthorized users from modifying GPU speed settings.
Monitor system logs for GPU driver crashes or unusual speed parameter changes.

🔍 How to Verify

Check if Vulnerable:

Check kernel version and if AMD GPU driver is loaded: 'lsmod | grep amdgpu' and 'uname -r' to compare with patched versions.

Check Version:

uname -r

Verify Fix Applied:

After update, verify kernel version includes fix commits and test setting GPU speed values within normal ranges.

📡 Detection & Monitoring

Log Indicators:

Kernel panic messages
GPU driver crash logs in dmesg
System instability reports

Network Indicators:

None - local vulnerability only

SIEM Query:

source="dmesg" AND "divide error" OR "kernel panic" AND "amdgpu"

📊 Metadata

CVE ID: CVE-2025-37771

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-369

EPSS Score: 0.03% exploit probability (6.7th percentile)

Published: May 1, 2025

Last Updated: November 5, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-37771, you might also want to check these: