CVE-2025-40110

Vulnerability

In the Linux kernel's VMwgfx DRM driver, the cursor snooper functionality performs an unchecked null-pointer dereference when processing a command that references an invalid surface resource. The function vmw_cmd_res_check accepts the identifier SVGA3D_INVALID_ID to represent "no surface" per the SVGA protocol [1]. However, the cursor snooping code does not handle a null resource object resulting from such an identifier, leading to a null-ptr access [2].

Exploitation

An attacker with access to the VMwgfx device interface (e.g., a local user with permissions to submit command buffers to the virtual GPU) can craft a command that includes an invalid surface handle. By passing an invalid resource identifier to the cursor snooper without additional validation, the kernel attempts to dereference a null pointer [3]. No authentication beyond local system access to the graphics device is required.

Impact

Successful exploitation causes a kernel oops or panic, resulting in a denial of service (DoS). The vulnerability does not appear to allow code execution beyond the immediate null-ptr dereference crash [4].

Mitigation

The fix adds a check to verify that the resource object exists after vmw_cmd_res_check before proceeding with cursor snooping [3][4]. Patches have been committed to the Linux kernel stable tree. Affected systems should update to a kernel version containing the commit that adds the null-resource check.