CVE-2025-21780: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-21780 is a buffer overflow vulnerability discovered in the Linux kernel's AMD GPU driver, specifically in the smu_sys_set_pp_table() function. The vulnerability was disclosed on February 26, 2025, and affects various versions of the Linux kernel. The issue occurs when a malicious user provides a small pptable through sysfs followed by a bigger pptable, potentially leading to a buffer overflow attack (NVD).

The vulnerability exists in the drm/amdgpu driver's smu_sys_set_pp_table() function. The issue arises when handling power play tables (pptable) through sysfs, where a malicious user can trigger a buffer overflow by first providing a small pptable and then a larger one. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The weakness is classified as CWE-120: Buffer Copy without Checking Size of Input (Classic Buffer Overflow) (NVD).

The vulnerability could allow a local attacker with limited privileges to execute a buffer overflow attack, potentially leading to high impacts on confidentiality, integrity, and availability of the system. The high CVSS score indicates that successful exploitation could result in significant system compromise (NVD).

The vulnerability has been patched in the Linux kernel. The fix involves adding a size check before allocating memory for the pptable and properly handling the memory deallocation. Users should update to patched versions of the kernel: 6.6.79 or later, 6.12.16 or later, or 6.13.4 or later (Kernel Patch).