CVE-2025-68735
Unknown Unknown - Not Provided
Use-After-Free Vulnerability in Linux drm/panthor GROUP_CREATE ioctl

Publication date: 2025-12-24

Last updated on: 2025-12-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Prevent potential UAF in group creation This commit prevents the possibility of a use after free issue in the GROUP_CREATE ioctl function, which arose as pointer to the group is accessed in that ioctl function after storing it in the Xarray. A malicious userspace can second guess the handle of a group and try to call GROUP_DESTROY ioctl from another thread around the same time as GROUP_CREATE ioctl. To prevent the use after free exploit, this commit uses a mark on an entry of group pool Xarray which is added just before returning from the GROUP_CREATE ioctl function. The mark is checked for all ioctls that specify the group handle and so userspace won't be abe to delete a group that isn't marked yet. v2: Add R-bs and fixes tags
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-24
Last Modified
2025-12-24
Generated
2026-06-16
AI Q&A
2025-12-24
EPSS Evaluated
2026-06-14
NVD
CVE-2025-68735
EUVD
EUVD-2025-205227
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a use-after-free (UAF) issue in the Linux kernel's drm/panthor driver related to group creation. Specifically, in the GROUP_CREATE ioctl function, a pointer to a group is accessed after it has been stored in an Xarray. A malicious userspace process can guess the handle of a group and attempt to call GROUP_DESTROY ioctl from another thread simultaneously with GROUP_CREATE ioctl, potentially causing a use-after-free condition. The fix involves marking the group entry in the Xarray before returning from GROUP_CREATE ioctl and checking this mark in all ioctls that use the group handle, preventing deletion of unmarked groups and thus preventing the UAF exploit.

Impact Analysis

This vulnerability could allow a malicious userspace process to exploit a use-after-free condition, potentially leading to undefined behavior such as memory corruption, crashes, or privilege escalation within the Linux kernel. This could compromise system stability or security by allowing attackers to execute arbitrary code or cause denial of service.

Mitigation Strategies

To mitigate this vulnerability, update the Linux kernel to a version that includes the fix for the use after free issue in the drm/panthor GROUP_CREATE ioctl function. This fix prevents malicious userspace from exploiting the vulnerability by marking group entries properly and checking these marks on all relevant ioctls.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68735. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart