CVE-2025-21990: 
Linux Debian vulnerability analysis and mitigation

A NULL pointer dereference vulnerability was identified in the Linux kernel's AMD GPU driver (CVE-2025-21990). The vulnerability was discovered and disclosed on April 2, 2025, affecting Linux kernel versions from 6.11 up to 6.12.20 and 6.13 up to 6.13.8. The issue specifically relates to the handling of PRT BOs (Buffer Objects) in the drm/amdgpu driver where the backing store's NULL-check was missing when determining GFX12 PTE flags (NVD).

The vulnerability stems from improper NULL pointer handling in the AMD GPU driver's PTE flags determination for GFX12. The issue occurs when PRT BOs lack a backing store, causing bo->tbo.resource to be NULL, which could lead to a NULL pointer dereference if not properly checked. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating local access is required and the primary impact is on availability (NVD).

The vulnerability primarily affects system availability, with no direct impact on confidentiality or integrity as indicated by the CVSS metrics. A successful exploitation could lead to a system crash due to the NULL pointer dereference, potentially causing a denial of service condition (NVD).

The vulnerability has been patched in the Linux kernel. The fix involves implementing proper NULL-checking of the BO's backing store before dereferencing bo->tbo.resource when determining GFX12 PTE flags. The patch has been cherry-picked from commit 3e3fcd29b505cebed659311337ea03b7698767fc (NVD).