CVE-2025-37854: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-37854 is a vulnerability discovered in the Linux kernel's AMD Kernel Fusion Driver (KFD) component, specifically affecting the mode1 reset functionality. The vulnerability was disclosed on May 9, 2025, and impacts various Linux distributions including Ubuntu and Debian systems (NVD, Wiz).

The vulnerability manifests as a use-after-free race condition in the drm/amdkfd component during mode1 reset operations. When the hardware scheduler hangs and mode1 reset is initiated to recover the GPU, KFD signals user space to abort processes. However, after process abort exit, user queues continue accessing system memory before hardware reset while the KFD cleanup worker simultaneously frees system memory and VRAM. This creates a race condition where KFD can allocate and reuse freed system memory while user queues write to the same memory location. The vulnerability has been assigned a CVSS v3.1 base score of 5.5, indicating moderate severity (Red Hat, NVD).

The exploitation of this vulnerability can result in data structure corruption and driver crashes, potentially affecting system stability. While the impact is considered moderate with a CVSS score of 5.5, it primarily affects system availability rather than confidentiality or integrity (Red Hat, Wiz).

The vulnerability has been addressed by modifying the KFD cleanup worker process. The fix implements a three-step process: first terminating user queues, then flushing the reset_domain work queue to wait for any ongoing GPU reset to complete, and finally freeing outstanding Buffer Objects (BOs). This approach eliminates the race condition that caused the vulnerability (NVD).