CVE-2025-38596 in Linux
Summary
by MITRE • 08/19/2025
In the Linux kernel, the following vulnerability has been resolved:
drm/panthor: Fix UAF in panthor_gem_create_with_handle() debugfs code
The object is potentially already gone after the drm_gem_object_put(). In general the object should be fully constructed before calling drm_gem_handle_create(), except the debugfs tracking uses a separate lock and list and separate flag to denotate whether the object is actually initialized.
Since I'm touching this all anyway simplify this by only adding the object to the debugfs when it's ready for that, which allows us to delete that separate flag. panthor_gem_debugfs_bo_rm() already checks whether we've actually been added to the list or this is some error path cleanup.
v2: Fix build issues for !CONFIG_DEBUGFS (Adrián)
v3: Add linebreak and remove outdated comment (Liviu)
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 12/15/2025
This vulnerability exists within the Linux kernel's graphics subsystem, specifically in the panthor driver component that handles display rendering operations. The issue manifests as a use-after-free condition that occurs during the creation of graphics memory objects through the panthor_gem_create_with_handle() function. The flaw is particularly concerning because it operates within the debugfs code path, which is typically used for debugging and system monitoring purposes but can be exploited to compromise system stability and potentially execute arbitrary code.
The technical root cause stems from improper object lifecycle management within the graphics memory allocation process. When drm_gem_object_put() is called, it may have already destroyed the object while the debugfs tracking code attempts to reference it. This creates a race condition where the debugfs code path accesses memory that has already been freed, leading to undefined behavior. The vulnerability is further complicated by the fact that the debugfs tracking mechanism employs its own separate locking mechanism and list management system, which operates independently from the main object construction flow. This dual tracking system introduces a separate flag that indicates whether an object has been fully initialized, creating a potential mismatch between the object's actual state and the debugfs tracking state.
The operational impact of this vulnerability extends beyond simple system crashes or hangs. Attackers could potentially exploit this use-after-free condition to execute arbitrary code with kernel privileges, effectively compromising the entire system. The vulnerability affects systems using the panthor graphics driver, which is commonly found in embedded devices, mobile platforms, and systems with specific graphics processing requirements. The debugfs interface provides an attack surface that allows malicious actors to trigger the race condition during normal graphics memory operations, making this particularly dangerous in environments where debugfs is enabled and accessible.
Security mitigations for this vulnerability focus on correcting the object lifecycle management within the debugfs code path. The fix implemented addresses the core issue by ensuring that graphics memory objects are fully constructed and initialized before being added to the debugfs tracking list. This approach eliminates the need for the separate initialization flag that was causing the race condition. The solution also includes conditional compilation fixes for systems without debugfs support, ensuring that the patch works across different kernel configurations. The implementation follows established security practices by removing the problematic code path that allowed accessing freed memory, and by synchronizing the debugfs tracking with the actual object construction process. This aligns with common security principles outlined in CWE-416, which addresses use-after-free vulnerabilities, and follows ATT&CK technique T1068 by exploiting weaknesses in system memory management to gain elevated privileges.
The fix demonstrates proper kernel security engineering practices by addressing the root cause rather than merely patching symptoms. It eliminates the dual tracking mechanism that was causing the race condition and ensures that debugfs operations only interact with objects that are guaranteed to be valid. This approach prevents attackers from exploiting the timing window between object destruction and debugfs cleanup operations, thereby maintaining system integrity and preventing potential privilege escalation attacks. The solution also improves code maintainability by reducing the complexity of state management within the graphics driver, which aligns with security best practices for kernel module development and reduces the likelihood of similar vulnerabilities in the future.