CVE-2025-37869

In the Linux kernel, the following vulnerability has been resolved: drm/xe: Use local fence in error path of xe_migrate_clear The intent of the error path in xe_migrate_clear is to wait on locally generated fence and then return. The code is waiting on m->fence which could be the local fence but this is only stable under the job mutex leading to a possible UAF. Fix code to wait on local fence. (cherry picked from commit 762b7e95362170b3e13a8704f38d5e47eca4ba74)

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/20659d3150f1a2a258a173fe011013178ff2a197	Patch
https://git.kernel.org/stable/c/2ac5f466f62892a7d1ac2d1a3eb6cd14efbe2f2d	Patch
https://git.kernel.org/stable/c/dc712938aa26b001f448d5e93f59d57fa80f2dbd	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.15:rc1::::::

History

12 Nov 2025, 20:37

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.8
CPE		cpe:2.3:o:linux:linux_kernel:::::::: cpe:2.3:o:linux:linux_kernel:6.15:rc1::::::
CWE		CWE-416
First Time		Linux linux Kernel Linux
References	~~() https://git.kernel.org/stable/c/20659d3150f1a2a258a173fe011013178ff2a197 -~~	() https://git.kernel.org/stable/c/20659d3150f1a2a258a173fe011013178ff2a197 - Patch
References	~~() https://git.kernel.org/stable/c/2ac5f466f62892a7d1ac2d1a3eb6cd14efbe2f2d -~~	() https://git.kernel.org/stable/c/2ac5f466f62892a7d1ac2d1a3eb6cd14efbe2f2d - Patch
References	~~() https://git.kernel.org/stable/c/dc712938aa26b001f448d5e93f59d57fa80f2dbd -~~	() https://git.kernel.org/stable/c/dc712938aa26b001f448d5e93f59d57fa80f2dbd - Patch

Information

Published : 2025-05-09 07:16

Updated : 2025-11-12 20:37

NVD link : CVE-2025-37869

Mitre link : CVE-2025-37869

CVE.ORG link : CVE-2025-37869

JSON object : View

Products Affected

linux

linux_kernel

CWE

CWE-416

Use After Free

{"id": "CVE-2025-37869", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2025-05-09T07:16:07.997", "references": [{"url": "https://git.kernel.org/stable/c/20659d3150f1a2a258a173fe011013178ff2a197", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/2ac5f466f62892a7d1ac2d1a3eb6cd14efbe2f2d", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/dc712938aa26b001f448d5e93f59d57fa80f2dbd", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-416"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Use local fence in error path of xe_migrate_clear\n\nThe intent of the error path in xe_migrate_clear is to wait on locally\ngenerated fence and then return. The code is waiting on m->fence which\ncould be the local fence but this is only stable under the job mutex\nleading to a possible UAF. Fix code to wait on local fence.\n\n(cherry picked from commit 762b7e95362170b3e13a8704f38d5e47eca4ba74)"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/xe: Uso de una valla local en la ruta de error de xe_migrate_clear. La ruta de error en xe_migrate_clear espera en la valla generada localmente y luego regresa. El c\u00f3digo espera en m->fence, que podr\u00eda ser la valla local, pero esto solo es estable bajo el mutex de trabajo, lo que podr\u00eda provocar un UAF. Se corrige el c\u00f3digo para que espere en la valla local. (Seleccionado de la confirmaci\u00f3n 762b7e95362170b3e13a8704f38d5e47eca4ba74)"}], "lastModified": "2025-11-12T20:37:16.600", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CBBDA0D8-E64F-41F7-ADFF-19A22F63B1B9", "versionEndExcluding": "6.12.25", "versionStartIncluding": "6.8"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "29FA1A8E-1C2A-4B0B-B397-2C915ECDEDEE", "versionEndExcluding": "6.14.4", "versionStartIncluding": "6.13"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.15:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8D465631-2980-487A-8E65-40AE2B9F8ED1"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}