CVE-2025-38672

{"id": "CVE-2025-38672", "cveTags": [], "metrics": {}, "published": "2025-08-22T16:15:42.820", "references": [{"url": "https://git.kernel.org/stable/c/1918e79be908b8a2c8757640289bc196c14d928a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e7bdb3104a2f71ec1439d37f8e6e2f201dbcd7cf", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"drm/gem-dma: Use dma_buf from GEM object instance\"\n\nThis reverts commit e8afa1557f4f963c9a511bd2c6074a941c308685.\n\nThe dma_buf field in struct drm_gem_object is not stable over the\nobject instance's lifetime. The field becomes NULL when user space\nreleases the final GEM handle on the buffer object. This resulted\nin a NULL-pointer deref.\n\nWorkarounds in commit 5307dce878d4 (\"drm/gem: Acquire references on\nGEM handles for framebuffers\") and commit f6bfc9afc751 (\"drm/framebuffer:\nAcquire internal references on GEM handles\") only solved the problem\npartially. They especially don't work for buffer objects without a DRM\nframebuffer associated.\n\nHence, this revert to going back to using .import_attach->dmabuf.\n\nv3:\n- cc stable"}], "lastModified": "2025-08-22T18:08:51.663", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}