Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-38731— drm/xe: Fix vm_bind_ioctl double free bug

EPSS 0.02% · P6
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2025-38731

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
drm/xe: Fix vm_bind_ioctl double free bug
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: drm/xe: Fix vm_bind_ioctl double free bug If the argument check during an array bind fails, the bind_ops are freed twice as seen below. Fix this by setting bind_ops to NULL after freeing. ================================================================== BUG: KASAN: double-free in xe_vm_bind_ioctl+0x1b2/0x21f0 [xe] Free of addr ffff88813bb9b800 by task xe_vm/14198 CPU: 5 UID: 0 PID: 14198 Comm: xe_vm Not tainted 6.16.0-xe-eudebug-cmanszew+ #520 PREEMPT(full) Hardware name: Intel Corporation Alder Lake Client Platform/AlderLake-P DDR5 RVP, BIOS ADLPFWI1.R00.2411.A02.2110081023 10/08/2021 Call Trace: <TASK> dump_stack_lvl+0x82/0xd0 print_report+0xcb/0x610 ? __virt_addr_valid+0x19a/0x300 ? xe_vm_bind_ioctl+0x1b2/0x21f0 [xe] kasan_report_invalid_free+0xc8/0xf0 ? xe_vm_bind_ioctl+0x1b2/0x21f0 [xe] ? xe_vm_bind_ioctl+0x1b2/0x21f0 [xe] check_slab_allocation+0x102/0x130 kfree+0x10d/0x440 ? should_fail_ex+0x57/0x2f0 ? xe_vm_bind_ioctl+0x1b2/0x21f0 [xe] xe_vm_bind_ioctl+0x1b2/0x21f0 [xe] ? __pfx_xe_vm_bind_ioctl+0x10/0x10 [xe] ? __lock_acquire+0xab9/0x27f0 ? lock_acquire+0x165/0x300 ? drm_dev_enter+0x53/0xe0 [drm] ? find_held_lock+0x2b/0x80 ? drm_dev_exit+0x30/0x50 [drm] ? drm_ioctl_kernel+0x128/0x1c0 [drm] drm_ioctl_kernel+0x128/0x1c0 [drm] ? __pfx_xe_vm_bind_ioctl+0x10/0x10 [xe] ? find_held_lock+0x2b/0x80 ? __pfx_drm_ioctl_kernel+0x10/0x10 [drm] ? should_fail_ex+0x57/0x2f0 ? __pfx_xe_vm_bind_ioctl+0x10/0x10 [xe] drm_ioctl+0x352/0x620 [drm] ? __pfx_drm_ioctl+0x10/0x10 [drm] ? __pfx_rpm_resume+0x10/0x10 ? do_raw_spin_lock+0x11a/0x1b0 ? find_held_lock+0x2b/0x80 ? __pm_runtime_resume+0x61/0xc0 ? rcu_is_watching+0x20/0x50 ? trace_irq_enable.constprop.0+0xac/0xe0 xe_drm_ioctl+0x91/0xc0 [xe] __x64_sys_ioctl+0xb2/0x100 ? rcu_is_watching+0x20/0x50 do_syscall_64+0x68/0x2e0 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7fa9acb24ded (cherry picked from commit a01b704527c28a2fd43a17a85f8996b75ec8492a)
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于xe_vm_bind_ioctl中存在双重释放错误。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux b43e864af0d4e74636c0e1dee857ce3275a84829 ~ 77a946bf1af0e8110ef6e243394217a17f9b7e33 -
LinuxLinux 6.15 -

II. Public POCs for CVE-2025-38731

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2025-38731

登录查看更多情报信息。

Same Patch Batch · Linux · 2025-09-05 · 60 CVEs total

CVE-2025-39707drm/amdgpu: check if hubbub is NULL in debugfs/amdgpu_dm_capabilities
CVE-2025-39725mm/vmscan: fix hwpoisoned large folio handling in shrink_folio_list
CVE-2025-39722crypto: caam - Prevent crash on suspend with iMX8QM / iMX8ULP
CVE-2025-39721crypto: qat - flush misc workqueue during device shutdown
CVE-2025-39720ksmbd: fix refcount leak causing resource not released
CVE-2025-39723netfs: Fix unbuffered write error handling
CVE-2025-39711media: ivsc: Fix crash at shutdown due to missing mei_cldev_disable() calls
CVE-2025-39710media: venus: Add a check for packet size after reading from shared memory
CVE-2025-39709media: venus: protect against spurious interrupts during probe
CVE-2025-39708media: iris: Fix NULL pointer dereference
CVE-2025-39712media: mt9m114: Fix deadlock in get_frame_interval/set_frame_interval
CVE-2025-39706drm/amdkfd: Destroy KFD debugfs after destroy KFD wq
CVE-2025-39705drm/amd/display: fix a Null pointer dereference vulnerability
CVE-2025-39704LoongArch: KVM: Fix stack protector issue in send_ipi_data()
CVE-2025-39703net, hsr: reject HSR frame if skb can't hold tag
CVE-2025-39702ipv6: sr: Fix MAC comparison to be constant-time
CVE-2025-39701ACPI: pfr_update: Fix the driver update version check
CVE-2025-39700mm/damon/ops-common: ignore migration request to invalid nodes
CVE-2025-39699iommu/riscv: prevent NULL deref in iova_to_phys
CVE-2025-39698io_uring/futex: ensure io_futex_wait() cleans up properly on failure

Showing top 20 of 60 CVEs. View all on vendor page &rarr; →

IV. Related Vulnerabilities

Same product: Linux
Same vendor: Linux

V. Comments for CVE-2025-38731

No comments yet

Leave a comment