LiveActive security incident?Get immediate response
CVE Record

CVE-2025-71303: accel/amdxdna: Fix race condition when checking rpm_on

In the Linux kernel, the following vulnerability has been resolved: accel/amdxdna: Fix race condition when checking rpm_on When autosuspend is triggered, driver rpm_on flag is set to indicate that a suspend/resume is already in progress. However, when a userspace application submits a command during this narrow window, amdxdna_pm_resume_get() may incorrectly skip the resume operation because the rpm_on flag is still set. This results in commands being submitted while the device has not actually resumed, causing unexpected behavior. The set_dpm() is called by suspend/resume, it relied on rpm_on flag to avoid calling into rpm suspend/resume recursivly. So to fix this, remove the use of the rpm_on flag entirely. Instead, introduce aie2_pm_set_dpm() which explicitly resumes the device before invoking set_dpm(). With this change, set_dpm() is called directly inside the suspend or resume execution path. Otherwise, aie2_pm_set_dpm() is called.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

This Linux kernel issue affects the AMD XDNA accelerator driver. A timing race during power management can let an application submit work while the device has not fully resumed. The public record describes unexpected behavior, but gives no CVSS score, confirmed security impact, patch-package mapping, or active exploitation evidence.

Executive priority

Treat this as a targeted kernel maintenance item, not an emergency internet-wide event. Prioritize patch validation where AMD XDNA accelerators are deployed or planned, especially on systems running affected kernel lines.

Technical view

The amdxdna driver used an rpm_on flag to avoid recursive runtime power-management paths. During autosuspend, amdxdna_pm_resume_get() could incorrectly skip resume because rpm_on was set, then accept commands before device resume completed. The fix removes rpm_on reliance and explicitly resumes before set_dpm() outside suspend/resume paths.

Likely exposure

Exposure appears limited to Linux systems using the AMD XDNA accelerator driver on affected kernel versions. The bundled affected data lists Linux versions including 6.19, 6.19.4, and 7.0, but distro-specific package status is not provided.

Exploitation context

The source bundle does not report active exploitation, and KEV is false. The described trigger requires a userspace command submission during a narrow autosuspend window. Public evidence supports reliability or unexpected-behavior risk, not a proven remote compromise path.

Researcher notes

The record is sparse: no CVSS, CWE, exploit report, or detailed impact boundary is provided. Analysis should focus on runtime PM state transitions, command submission during autosuspend, and whether failed resume can cause denial of service, data corruption, or broader kernel impact.

Mitigation direction

  • Check your Linux vendor advisory for CVE-2025-71303 package status.
  • Update to a kernel containing one of the linked stable fixes.
  • Prioritize systems with AMD XDNA accelerator hardware or enabled amdxdna driver.
  • If patching is delayed, review whether the driver is needed on affected systems.
  • Track distro backports because commit-level fixes may appear under vendor package versions.

Validation and detection

  • Inventory kernels and confirm whether amdxdna support is present or loaded.
  • Map installed kernel packages to vendor advisories for CVE-2025-71303.
  • Verify the relevant stable fix commit is included in your kernel source or changelog.
  • Review logs for AMD XDNA runtime power-management errors or unexplained accelerator failures.
  • Confirm regression testing covers suspend, resume, and accelerator workload submission.
Prepared
Confidence
medium
Sources
4

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2025-71303 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
0ADP providers
3Source links

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux063db451832b8849faf1b0b8404b3a6a39995b29, 063db451832b8849faf1b0b8404b3a6a39995b29unaffected
LinuxLinux6.19, 0, 6.19.4, 7.0affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.