CVE-2025-38703

HIGH

Linux Kernel 6.8-6.12.42, 6.13.0-6.15.10, 6.16.0-6.16.1 - Use-After-Free in DRM/Xe DMA-Fence Handling

Title source: llm

Description

In the Linux kernel, the following vulnerability has been resolved: drm/xe: Make dma-fences compliant with the safe access rules Xe can free some of the data pointed to by the dma-fences it exports. Most notably the timeline name can get freed if userspace closes the associated submit queue. At the same time the fence could have been exported to a third party (for example a sync_fence fd) which will then cause an use- after-free on subsequent access. To make this safe we need to make the driver compliant with the newly documented dma-fence rules. Driver has to ensure a RCU grace period between signalling a fence and freeing any data pointed to by said fence. For the timeline name we simply make the queue be freed via kfree_rcu and for the shared lock associated with multiple queues we add a RCU grace period before freeing the per GT structure holding the lock.

References (4)

Core 4

Core References

Patch

https://git.kernel.org/stable/c/b17fcce70733c211cb5dabf54f4f9491920b1d92

Patch

https://git.kernel.org/stable/c/ba37807d08bae67de6139346a85650cab5f6145a

Patch

https://git.kernel.org/stable/c/683b0e397dad9f26a42dcacf6f7f545a77ce6c06

Patch

https://git.kernel.org/stable/c/6bd90e700b4285e6a7541e00f969cab0d696adde

Scores

CVSS v3 7.8

EPSS 0.0015

EPSS Percentile 4.9%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-416

Status published

Products (14)

linux/Kernel 6.13.0 - 6.15.11linux

linux/Kernel 6.16.0 - 6.16.2linux

linux/Kernel 6.8.0 - 6.12.43linux

Linux/Linux < 6.8

Linux/Linux 6.12.43 - 6.12.*

Linux/Linux 6.15.11 - 6.15.*

Linux/Linux 6.16.2 - 6.16.*

Linux/Linux 6.17

Linux/Linux 6.8

Linux/Linux dd08ebf6c3525a7ea2186e636df064ea47281987 - 683b0e397dad9f26a42dcacf6f7f545a77ce6c06

... and 4 more

Published Sep 04, 2025

Tracked Since Feb 18, 2026