CVE-2025-38595

EPSS 0.03%
Veröffentlicht 19.08.2025 17:15:37
Zuletzt bearbeitet 20.08.2025 14:40:17
Quelle 416baaa9-dc9f-4396-8d5f-8c081f
Teams Watchlist Login
Unerledigt Login

In the Linux kernel, the following vulnerability has been resolved:

xen: fix UAF in dmabuf_exp_from_pages()

[dma_buf_fd() fixes; no preferences regarding the tree it goes through -
up to xen folks]

As soon as we'd inserted a file reference into descriptor table, another
thread could close it.  That's fine for the case when all we are doing is
returning that descriptor to userland (it's a race, but it's a userland
race and there's nothing the kernel can do about it).  However, if we
follow fd_install() with any kind of access to objects that would be
destroyed on close (be it the struct file itself or anything destroyed
by its ->release()), we have a UAF.

dma_buf_fd() is a combination of reserving a descriptor and fd_install().
gntdev dmabuf_exp_from_pages() calls it and then proceeds to access the
objects destroyed on close - starting with gntdev_dmabuf itself.

Fix that by doing reserving descriptor before anything else and do
fd_install() only when everything had been set up.

Betroffene Produkte Warnungen 0 Metriken 1 CWE 0 Referenzen 7

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerLinux

≫

Produkt Linux

Default Statusunaffected

Version < e5907885260401bba300d4d18d79875c05b82651

Version a240d6e42e28c34fdc34b3a98ca838a31c939901

Status affected

Version < 3edfd2353f301bfffd5ee41066e37320a59ccc2d

Version a240d6e42e28c34fdc34b3a98ca838a31c939901

Status affected

Version < d59d49af4aeed9a81e673e37c26c6a3bacf1a181

Version a240d6e42e28c34fdc34b3a98ca838a31c939901

Status affected

Version < 532c8b51b3a8676cbf533a291f8156774f30ea87

Version a240d6e42e28c34fdc34b3a98ca838a31c939901

Status affected

HerstellerLinux

≫

Produkt Linux

Default Statusaffected

Version 4.19

Status affected

Version < 4.19

Version 0

Status unaffected

Version <= 6.12.*

Version 6.12.42

Status unaffected

Version <= 6.15.*

Version 6.15.10

Status unaffected

Version <= 6.16.*

Version 6.16.1

Status unaffected

Version <= *

Version 6.17-rc1

Status unaffected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.055

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String

https://git.kernel.org/stable/c/3edfd2353f301bfffd5ee41066e37320a59ccc2d

https://git.kernel.org/stable/c/532c8b51b3a8676cbf533a291f8156774f30ea87

https://git.kernel.org/stable/c/d59d49af4aeed9a81e673e37c26c6a3bacf1a181

https://git.kernel.org/stable/c/e5907885260401bba300d4d18d79875c05b82651

https://nvd.nist.gov/vuln/detail/CVE-2025-38595

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-38595

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-38595

EUVD