CVE-2025-21995 in Linux
Summary
by MITRE • 04/03/2025
In the Linux kernel, the following vulnerability has been resolved:
drm/sched: Fix fence reference count leak
The last_scheduled fence leaks when an entity is being killed and adding the cleanup callback fails.
Decrement the reference count of prev when dma_fence_add_callback() fails, ensuring proper balance.
[phasta: add git tag info for stable kernel]
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 02/16/2026
This vulnerability exists within the Linux kernel's display subsystem, specifically in the drm/sched component responsible for managing graphics job scheduling and fence operations. The issue manifests as a reference count leak that occurs during the cleanup process of graphics entities when they are terminated. The problem is particularly significant in graphics-intensive applications and systems where multiple concurrent graphics operations are common, as it can lead to gradual resource exhaustion over time. The vulnerability affects systems running Linux kernels that include the problematic drm/sched implementation, potentially impacting desktop environments, server graphics processing, and embedded systems with graphics capabilities.
The technical flaw stems from improper handling of fence reference counting within the graphics scheduling subsystem. When a graphics entity is being killed and the cleanup callback registration fails, the system fails to decrement the reference count of the previous fence object. This creates a dangling reference that prevents proper memory deallocation and resource cleanup. The dma_fence_add_callback() function, which is responsible for adding cleanup callbacks to fence objects, can fail in certain conditions such as memory allocation issues or system resource constraints. When this failure occurs, the code path does not properly account for the reference count decrement, leading to a memory leak that accumulates over time as more entities are terminated.
The operational impact of this vulnerability can be substantial in high-throughput graphics environments where numerous graphics jobs are submitted and terminated rapidly. The reference count leak gradually consumes available memory resources, potentially leading to system performance degradation, increased memory pressure, and in severe cases, system instability or crashes. Applications that rely heavily on graphics processing, such as video editing software, 3D rendering applications, gaming platforms, and server-based graphics rendering systems, would be particularly affected. The leak may not immediately cause system failure but can accumulate over time, making it a stealthy but persistent threat to system reliability and resource management.
Mitigation strategies for this vulnerability involve applying the kernel patch that properly decrements the reference count when dma_fence_add_callback() fails. System administrators should prioritize updating to kernel versions that include this fix, particularly in production environments where graphics workloads are intensive. The fix aligns with best practices for resource management and follows the principles outlined in CWE-404, which addresses improper resource cleanup. Organizations should implement regular kernel update schedules and monitor for similar reference counting issues in other kernel subsystems. Additionally, system monitoring tools should be configured to detect unusual memory consumption patterns that might indicate resource leaks, providing early warning of potential issues before they escalate. The fix also demonstrates adherence to ATT&CK technique T1484.001, which involves privilege escalation through kernel vulnerabilities, by ensuring proper resource handling and preventing potential exploitation vectors that could arise from resource exhaustion attacks.