CVE-2025-40111

Root

Cause

The vulnerability resides in the Linux kernel's DRM subsystem for VMware graphics (drm/vmwgfx). During command buffer validation, nodes are stored in a duplicates hashtable and allocated from an arena allocator that is cleared at the end of vmw_execbuf_process. All nodes are expected to be removed via vmw_validation_drop_ht, but a specific node escapes because its associated resource is destroyed prematurely, leaving a dangling pointer in the hashtable [1].

Exploitation

An attacker with local access and the ability to submit crafted command buffers to the vmwgfx driver can trigger this use-after-free. The attack requires the ability to cause a resource to be destroyed while a validation node still references it, bypassing the normal cleanup path. No special privileges beyond the ability to interact with the DRM device are needed [2].

Impact

Successful exploitation results in a use-after-free condition, which can lead to memory corruption, system crash (denial of service), or potentially privilege escalation if the freed memory is reallocated for a different purpose. The vulnerability is classified as a high-severity issue due to the potential for arbitrary code execution in kernel context.

Mitigation

The fix is included in the Linux kernel stable tree via commits [1] and [2]. Users should update to a kernel version containing these patches. No workaround is available; the vulnerability is resolved by ensuring that all validation nodes are properly cleaned up even when resources are destroyed early.