CVE-2025-38703

EUVD-2025-26766

04.09.2025, 16:15

In the Linux kernel, the following vulnerability has been resolved:

drm/xe: Make dma-fences compliant with the safe access rules

Xe can free some of the data pointed to by the dma-fences it exports. Most
notably the timeline name can get freed if userspace closes the associated
submit queue. At the same time the fence could have been exported to a
third party (for example a sync_fence fd) which will then cause an use-
after-free on subsequent access.

To make this safe we need to make the driver compliant with the newly
documented dma-fence rules. Driver has to ensure a RCU grace period
between signalling a fence and freeing any data pointed to by said fence.

For the timeline name we simply make the queue be freed via kfree_rcu and
for the shared lock associated with multiple queues we add a RCU grace
period before freeing the per GT structure holding the lock.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.8 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 7%

Affected Products (NVD)

Vendor	Product	Version
linux	linux_kernel	6.8 ≤ 𝑥 < 6.12.43
linux	linux_kernel	6.13 ≤ 𝑥 < 6.15.11
linux	linux_kernel	6.16 ≤ 𝑥 < 6.16.2

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bookworm	6.1.170-3 fixed
bookworm (security)	6.1.174-1 fixed
bullseye	5.10.223-1 fixed
bullseye (security)	5.10.257-1 fixed
forky	7.0.9-1 fixed
sid	7.0.10-1 fixed
trixie	6.12.86-1 fixed
trixie (security)	6.12.90-2 fixed

openSUSE / SLES Releases

openSUSE Product

Release

kernel-64kb

suse enterprise desktop 15 SP7	6.4.0-150700.53.19.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.19.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.19.1 fixed

kernel-azure

suse enterprise sap 15 SP7	6.4.0-150700.20.15.2 fixed
suse enterprise server 15 SP7	6.4.0-150700.20.15.2 fixed

kernel-default

suse enterprise desktop 15 SP7	6.4.0-150700.53.19.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.19.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.19.1 fixed

kernel-default-base

suse enterprise desktop 15 SP7	6.4.0-150700.53.19.1.150700.17.13.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.19.1.150700.17.13.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.19.1.150700.17.13.1 fixed

kernel-docs

suse enterprise desktop 15 SP7	6.4.0-150700.53.19.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.19.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.19.1 fixed

kernel-macros

suse enterprise desktop 15 SP7	6.4.0-150700.53.19.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.19.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.19.1 fixed

kernel-obs-build

suse enterprise desktop 15 SP7	6.4.0-150700.53.19.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.19.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.19.1 fixed

kernel-source

suse enterprise desktop 15 SP7	6.4.0-150700.53.19.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.19.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.19.1 fixed

kernel-source-azure

suse enterprise sap 15 SP7	6.4.0-150700.20.15.2 fixed
suse enterprise server 15 SP7	6.4.0-150700.20.15.2 fixed

kernel-syms

suse enterprise desktop 15 SP7	6.4.0-150700.53.19.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.19.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.19.1 fixed

kernel-syms-azure

suse enterprise sap 15 SP7	6.4.0-150700.20.15.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.20.15.1 fixed

kernel-zfcpdump

suse enterprise desktop 15 SP7	6.4.0-150700.53.19.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.19.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.19.1 fixed

Red Hat Enterprise Linux Releases

Red Hat Product

Release

kernel

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

kernel-64k

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

kernel-64k-core

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

kernel-64k-debug

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

kernel-64k-debug-core

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

kernel-64k-debug-devel

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

kernel-64k-debug-devel-matched

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

kernel-64k-debug-modules

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

kernel-64k-debug-modules-core

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

kernel-64k-debug-modules-extra

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

kernel-64k-devel

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

kernel-64k-devel-matched

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

kernel-64k-modules

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

kernel-64k-modules-core

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

kernel-64k-modules-extra

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

kernel-abi-stablelists

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

kernel-core

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

kernel-debug

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

kernel-debug-core

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

kernel-debug-devel

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

kernel-debug-devel-matched

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

kernel-debug-modules

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

kernel-debug-modules-core

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

kernel-debug-modules-extra

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

kernel-debug-uki-virt

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

kernel-devel

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

kernel-devel-matched

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

kernel-doc

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

kernel-modules

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

kernel-modules-core

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

kernel-modules-extra

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

kernel-rt

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

kernel-rt-64k

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

kernel-rt-64k-core

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

kernel-rt-64k-debug

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

kernel-rt-64k-debug-core

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

kernel-rt-64k-debug-devel

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

kernel-rt-64k-debug-modules

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

kernel-rt-64k-debug-modules-core

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

kernel-rt-64k-debug-modules-extra

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

kernel-rt-64k-devel

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

kernel-rt-64k-modules

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

kernel-rt-64k-modules-core

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

kernel-rt-64k-modules-extra

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

kernel-rt-core

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

kernel-rt-debug

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

kernel-rt-debug-core

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

kernel-rt-debug-devel

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

kernel-rt-debug-modules

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

kernel-rt-debug-modules-core

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

kernel-rt-debug-modules-extra

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

kernel-rt-devel

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

kernel-rt-modules

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

kernel-rt-modules-core

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

kernel-rt-modules-extra

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

kernel-tools

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

kernel-tools-libs

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

kernel-tools-libs-devel

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

kernel-uki-virt

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

kernel-uki-virt-addons

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

kernel-zfcpdump

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

kernel-zfcpdump-core

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

kernel-zfcpdump-devel

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

kernel-zfcpdump-devel-matched

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

kernel-zfcpdump-modules

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

kernel-zfcpdump-modules-core

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

kernel-zfcpdump-modules-extra

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

libperf

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

perf

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

python3-perf

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

rtla

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

RHEL 9

0:5.14.0-611.24.1.el9_7

fixed

Common Weakness Enumeration

CWE-416 - Use After Free
Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

References

https://git.kernel.org/stable/c/683b0e397dad9f26a42dcacf6f7f545a77ce6c06

https://git.kernel.org/stable/c/6bd90e700b4285e6a7541e00f969cab0d696adde

https://git.kernel.org/stable/c/b17fcce70733c211cb5dabf54f4f9491920b1d92

https://git.kernel.org/stable/c/ba37807d08bae67de6139346a85650cab5f6145a