LiveActive security incident?Get immediate response
CVE Record

CVE-2025-38520: drm/amdkfd: Don't call mmput from MMU notifier callback

In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Don't call mmput from MMU notifier callback If the process is exiting, the mmput inside mmu notifier callback from compactd or fork or numa balancing could release the last reference of mm struct to call exit_mmap and free_pgtable, this triggers deadlock with below backtrace. The deadlock will leak kfd process as mmu notifier release is not called and cause VRAM leaking. The fix is to take mm reference mmget_non_zero when adding prange to the deferred list to pair with mmput in deferred list work. If prange split and add into pchild list, the pchild work_item.mm is not used, so remove the mm parameter from svm_range_unmap_split and svm_range_add_child. The backtrace of hung task: INFO: task python:348105 blocked for more than 64512 seconds. Call Trace: __schedule+0x1c3/0x550 schedule+0x46/0xb0 rwsem_down_write_slowpath+0x24b/0x4c0 unlink_anon_vmas+0xb1/0x1c0 free_pgtables+0xa9/0x130 exit_mmap+0xbc/0x1a0 mmput+0x5a/0x140 svm_range_cpu_invalidate_pagetables+0x2b/0x40 [amdgpu] mn_itree_invalidate+0x72/0xc0 __mmu_notifier_invalidate_range_start+0x48/0x60 try_to_unmap_one+0x10fa/0x1400 rmap_walk_anon+0x196/0x460 try_to_unmap+0xbb/0x210 migrate_page_unmap+0x54d/0x7e0 migrate_pages_batch+0x1c3/0xae0 migrate_pages_sync+0x98/0x240 migrate_pages+0x25c/0x520 compact_zone+0x29d/0x590 compact_zone_order+0xb6/0xf0 try_to_compact_pages+0xbe/0x220 __alloc_pages_direct_compact+0x96/0x1a0 __alloc_pages_slowpath+0x410/0x930 __alloc_pages_nodemask+0x3a9/0x3e0 do_huge_pmd_anonymous_page+0xd7/0x3e0 __handle_mm_fault+0x5e3/0x5f0 handle_mm_fault+0xf7/0x2e0 hmm_vma_fault.isra.0+0x4d/0xa0 walk_pmd_range.isra.0+0xa8/0x310 walk_pud_range+0x167/0x240 walk_pgd_range+0x55/0x100 __walk_page_range+0x87/0x90 walk_page_range+0xf6/0x160 hmm_range_fault+0x4f/0x90 amdgpu_hmm_range_get_pages+0x123/0x230 [amdgpu] amdgpu_ttm_tt_get_user_pages+0xb1/0x150 [amdgpu] init_user_pages+0xb1/0x2a0 [amdgpu] amdgpu_amdkfd_gpuvm_alloc_memory_of_gpu+0x543/0x7d0 [amdgpu] kfd_ioctl_alloc_memory_of_gpu+0x24c/0x4e0 [amdgpu] kfd_ioctl+0x29d/0x500 [amdgpu] (cherry picked from commit a29e067bd38946f752b0ef855f3dfff87e77bec7)

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

This Linux kernel issue can deadlock AMD GPU memory handling during process exit or memory-management activity. The documented effect is hung tasks, leaked KFD process state, and VRAM leakage. Business risk is mainly availability on systems using affected Linux kernels with AMD GPU compute paths.

Executive priority

Treat as a targeted availability risk for AMD GPU Linux fleets, not a broad internet-facing emergency based on current evidence. Patch through normal kernel maintenance, faster for GPU compute, shared research, or production systems where VRAM leakage and hangs affect service reliability.

Technical view

The flaw is in drm/amdkfd MMU notifier handling. Calling mmput from the notifier callback can release the last mm reference and enter exit_mmap/free_pgtable in a deadlock-prone path. The fix moves reference handling to deferred work using mmget_non_zero paired with mmput.

Likely exposure

Exposure is most likely on Linux systems running affected kernel versions with AMDGPU/KFD functionality in use. The source lists Linux kernel affected entries including 5.19, 6.1.148, 6.6.101, 6.12.39, 6.15.7, and 6.16. Downstream distro exposure needs vendor mapping.

Exploitation context

The source bundle provides a hung-task backtrace and states the consequence is deadlock and VRAM leakage. It does not cite active exploitation, and KEV is false. No public exploitability details or attack preconditions are established in the provided sources.

Researcher notes

The evidence is specific to a kernel deadlock path in drm/amdkfd. The supplied affected-version data is sparse and includes upstream versions and commits, so validate against downstream kernel backports. The impact described is resource leakage and hang behavior; confidentiality and integrity impact are not evidenced.

Mitigation direction

  • Update to a vendor kernel containing the referenced stable fixes.
  • Check Debian LTS and other distro advisories for packaged kernel guidance.
  • Prioritize systems using AMDGPU/KFD or GPU compute workloads.
  • Plan reboot windows where kernel replacement is required.
  • If unsupported, consult vendor guidance for safe temporary exposure reduction.

Validation and detection

  • Inventory running kernel versions on Linux GPU systems.
  • Confirm whether amdgpu and amdkfd are present or loaded.
  • Review logs for hung tasks resembling the provided backtrace.
  • Verify the deployed kernel includes the referenced stable commit lineage.
  • Track distro advisory status before closing remediation tickets.
Prepared
Confidence
medium
Sources
8

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2025-38520 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
1ADP providers
7Source links

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CVECVE Program Container
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinuxfa582c6f3684ac0098a9d02ddf0ed52a02b37127, fa582c6f3684ac0098a9d02ddf0ed52a02b37127, fa582c6f3684ac0098a9d02ddf0ed52a02b37127, fa582c6f3684ac0098a9d02ddf0ed52a02b37127, fa582c6f3684ac0098a9d02ddf0ed52a02b37127, 09c5cdbc62d99fc6306a21b24b60eb11a3bd0963, 4b29b8d7c20f54eec0ff266b4a3f419bd251ed83, 5.15.49, 5.18.6unaffected
LinuxLinux5.19, 0, 6.1.148, 6.6.101, 6.12.39, 6.15.7, 6.16affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.