CVE-2025-38595

EPSS 0.03%
Published 19.08.2025 17:15:37
Last modified 20.08.2025 14:40:17
Source 416baaa9-dc9f-4396-8d5f-8c081f
Teams watchlist Login
Open Login

In the Linux kernel, the following vulnerability has been resolved:

xen: fix UAF in dmabuf_exp_from_pages()

[dma_buf_fd() fixes; no preferences regarding the tree it goes through -
up to xen folks]

As soon as we'd inserted a file reference into descriptor table, another
thread could close it.  That's fine for the case when all we are doing is
returning that descriptor to userland (it's a race, but it's a userland
race and there's nothing the kernel can do about it).  However, if we
follow fd_install() with any kind of access to objects that would be
destroyed on close (be it the struct file itself or anything destroyed
by its ->release()), we have a UAF.

dma_buf_fd() is a combination of reserving a descriptor and fd_install().
gntdev dmabuf_exp_from_pages() calls it and then proceeds to access the
objects destroyed on close - starting with gntdev_dmabuf itself.

Fix that by doing reserving descriptor before anything else and do
fd_install() only when everything had been set up.

Affected products Warnungen 0 Metrics 1 CWE 0 References 7

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

This information is available to logged-in users.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

VendorLinux

≫

Product Linux

Default Statusunaffected

Version < e5907885260401bba300d4d18d79875c05b82651

Version a240d6e42e28c34fdc34b3a98ca838a31c939901

Status affected

Version < 3edfd2353f301bfffd5ee41066e37320a59ccc2d

Version a240d6e42e28c34fdc34b3a98ca838a31c939901

Status affected

Version < d59d49af4aeed9a81e673e37c26c6a3bacf1a181

Version a240d6e42e28c34fdc34b3a98ca838a31c939901

Status affected

Version < 532c8b51b3a8676cbf533a291f8156774f30ea87

Version a240d6e42e28c34fdc34b3a98ca838a31c939901

Status affected

VendorLinux

≫

Product Linux

Default Statusaffected

Version 4.19

Status affected

Version < 4.19

Version 0

Status unaffected

Version <= 6.12.*

Version 6.12.42

Status unaffected

Version <= 6.15.*

Version 6.15.10

Status unaffected

Version <= 6.16.*

Version 6.16.1

Status unaffected

Version <= *

Version 6.17-rc1

Status unaffected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.03%	0.055

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string

https://git.kernel.org/stable/c/3edfd2353f301bfffd5ee41066e37320a59ccc2d

https://git.kernel.org/stable/c/532c8b51b3a8676cbf533a291f8156774f30ea87

https://git.kernel.org/stable/c/d59d49af4aeed9a81e673e37c26c6a3bacf1a181

https://git.kernel.org/stable/c/e5907885260401bba300d4d18d79875c05b82651

https://nvd.nist.gov/vuln/detail/CVE-2025-38595

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-38595

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-38595

EUVD