CVE-2025-38595

In the Linux kernel, the following vulnerability has been resolved: xen: fix UAF in dmabuf_exp_from_pages() [dma_buf_fd() fixes; no preferences regarding the tree it goes through - up to xen folks] As soon as we'd inserted a file reference into descriptor table, another thread could close it. That's fine for the case when all we are doing is returning that descriptor to userland (it's a race, but it's a userland race and there's nothing the kernel can do about it). However, if we follow fd_install() with any kind of access to objects that would be destroyed on close (be it the struct file itself or anything destroyed by its ->release()), we have a UAF. dma_buf_fd() is a combination of reserving a descriptor and fd_install(). gntdev dmabuf_exp_from_pages() calls it and then proceeds to access the objects destroyed on close - starting with gntdev_dmabuf itself. Fix that by doing reserving descriptor before anything else and do fd_install() only when everything had been set up.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/3edfd2353f301bfffd5ee41066e37320a59ccc2d	Patch
https://git.kernel.org/stable/c/532c8b51b3a8676cbf533a291f8156774f30ea87	Patch
https://git.kernel.org/stable/c/d59d49af4aeed9a81e673e37c26c6a3bacf1a181	Patch
https://git.kernel.org/stable/c/e5907885260401bba300d4d18d79875c05b82651	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

History

No history.

Information

Published : 2025-08-19 17:15

Updated : 2025-11-26 18:01

NVD link : CVE-2025-38595

Mitre link : CVE-2025-38595

CVE.ORG link : CVE-2025-38595

JSON object : View

Products Affected

linux

linux_kernel

CWE

CWE-416

Use After Free

{"id": "CVE-2025-38595", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2025-08-19T17:15:37.343", "references": [{"url": "https://git.kernel.org/stable/c/3edfd2353f301bfffd5ee41066e37320a59ccc2d", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/532c8b51b3a8676cbf533a291f8156774f30ea87", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d59d49af4aeed9a81e673e37c26c6a3bacf1a181", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e5907885260401bba300d4d18d79875c05b82651", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-416"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxen: fix UAF in dmabuf_exp_from_pages()\n\n[dma_buf_fd() fixes; no preferences regarding the tree it goes through -\nup to xen folks]\n\nAs soon as we'd inserted a file reference into descriptor table, another\nthread could close it. That's fine for the case when all we are doing is\nreturning that descriptor to userland (it's a race, but it's a userland\nrace and there's nothing the kernel can do about it). However, if we\nfollow fd_install() with any kind of access to objects that would be\ndestroyed on close (be it the struct file itself or anything destroyed\nby its ->release()), we have a UAF.\n\ndma_buf_fd() is a combination of reserving a descriptor and fd_install().\ngntdev dmabuf_exp_from_pages() calls it and then proceeds to access the\nobjects destroyed on close - starting with gntdev_dmabuf itself.\n\nFix that by doing reserving descriptor before anything else and do\nfd_install() only when everything had been set up."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: xen: correcci\u00f3n de UAF en dmabuf_exp_from_pages() [dma_buf_fd() corrige; no hay preferencias sobre el \u00e1rbol que recorre - depende de los usuarios de xen]. En cuanto insertamos una referencia a un archivo en la tabla de descriptores, otro hilo podr\u00eda cerrarla. Esto funciona bien cuando solo devolvemos ese descriptor al espacio de usuario (es una ejecuci\u00f3n, pero es una ejecuci\u00f3n de espacio de usuario y el kernel no puede hacer nada al respecto). Sin embargo, si despu\u00e9s de fd_install() accedemos a objetos que se destruir\u00edan al cerrar (ya sea el propio archivo de estructura o cualquier objeto destruido por su ->release()), tenemos un UAF. dma_buf_fd() combina la reserva de un descriptor con fd_install(). gntdev dmabuf_exp_from_pages() lo llama y procede a acceder a los objetos destruidos al cerrar, empezando por el propio gntdev_dmabuf. Arregle esto reservando el descriptor antes de cualquier otra cosa y ejecutando fd_install() solo cuando todo est\u00e9 configurado."}], "lastModified": "2025-11-26T18:01:25.173", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D1041F7F-DC8F-400D-8487-F9D5516F5661", "versionEndExcluding": "6.12.42", "versionStartIncluding": "4.19"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5890C690-B295-40C2-9121-FF5F987E5142", "versionEndExcluding": "6.15.10", "versionStartIncluding": "6.13"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "58182352-D7DF-4CC9-841E-03C1D852C3FB", "versionEndExcluding": "6.16.1", "versionStartIncluding": "6.16"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}