CVE-2025-38673
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-22

Last updated on: 2025-11-25

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: Revert "drm/gem-framebuffer: Use dma_buf from GEM object instance" This reverts commit cce16fcd7446dcff7480cd9d2b6417075ed81065. The dma_buf field in struct drm_gem_object is not stable over the object instance's lifetime. The field becomes NULL when user space releases the final GEM handle on the buffer object. This resulted in a NULL-pointer deref. Workarounds in commit 5307dce878d4 ("drm/gem: Acquire references on GEM handles for framebuffers") and commit f6bfc9afc751 ("drm/framebuffer: Acquire internal references on GEM handles") only solved the problem partially. They especially don't work for buffer objects without a DRM framebuffer associated. Hence, this revert to going back to using .import_attach->dmabuf. v3: - cc stable
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-22
Last Modified
2025-11-25
Generated
2026-06-16
AI Q&A
2025-08-22
EPSS Evaluated
2026-06-14
NVD
CVE-2025-38673
Affected Vendors & Products
Showing 8 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.16
linux linux_kernel 6.16
linux linux_kernel 6.16
linux linux_kernel 6.16
linux linux_kernel 6.16
linux linux_kernel 6.16
linux linux_kernel 6.16
linux linux_kernel From 5.15.160 (inc) to 5.16 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in the Linux kernel involves the dma_buf field in the struct drm_gem_object, which is not stable over the object's lifetime. Specifically, the dma_buf field becomes NULL when user space releases the final GEM handle on the buffer object, leading to a NULL-pointer dereference. Previous workarounds only partially addressed the issue and did not cover buffer objects without a DRM framebuffer associated. The vulnerability was resolved by reverting a commit that changed how dma_buf was used, returning to using .import_attach->dmabuf to avoid the NULL-pointer dereference.

Impact Analysis

The vulnerability can cause a NULL-pointer dereference in the Linux kernel's DRM subsystem, which may lead to system crashes or instability when user space releases the final GEM handle on a buffer object. This could potentially be exploited to cause denial of service or affect system reliability.

Mitigation Strategies

The vulnerability is resolved by reverting the commit cce16fcd7446dcff7480cd9d2b6417075ed81065, which involved changes to the dma_buf field handling in the Linux kernel's drm_gem_object. Immediate mitigation involves updating your Linux kernel to a version that includes this revert. Workarounds from previous commits only partially addressed the issue and are not fully effective, especially for buffer objects without a DRM framebuffer. Therefore, applying the official patch or kernel update that reverts to using .import_attach->dmabuf is recommended.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-38673. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart