VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 4, 2025· Updated Apr 15, 2026

CVE-2025-40225

CVE-2025-40225

Description

In the Linux kernel, the following vulnerability has been resolved:

drm/panthor: Fix kernel panic on partial unmap of a GPU VA region

This commit address a kernel panic issue that can happen if Userspace tries to partially unmap a GPU virtual region (aka drm_gpuva). The VM_BIND interface allows partial unmapping of a BO.

Panthor driver pre-allocates memory for the new drm_gpuva structures that would be needed for the map/unmap operation, done using drm_gpuvm layer. It expected that only one new drm_gpuva would be needed on umap but a partial unmap can require 2 new drm_gpuva and that's why it ended up doing a NULL pointer dereference causing a kernel panic.

Following dump was seen when partial unmap was exercised. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000078 Mem abort info: ESR = 0x0000000096000046 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x06: level 2 translation fault Data abort info: ISV = 0, ISS = 0x00000046, ISS2 = 0x00000000 CM = 0, WnR = 1, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=000000088a863000 [000000000000078] pgd=080000088a842003, p4d=080000088a842003, pud=0800000884bf5003, pmd=0000000000000000 Internal error: Oops: 0000000096000046 [#1] PREEMPT SMP

pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : panthor_gpuva_sm_step_remap+0xe4/0x330 [panthor] lr : panthor_gpuva_sm_step_remap+0x6c/0x330 [panthor] sp : ffff800085d43970 x29: ffff800085d43970 x28: ffff00080363e440 x27: ffff0008090c6000 x26: 0000000000000030 x25: ffff800085d439f8 x24: ffff00080d402000 x23: ffff800085d43b60 x22: ffff800085d439e0 x21: ffff00080abdb180 x20: 0000000000000000 x19: 0000000000000000 x18: 0000000000000010 x17: 6e656c202c303030 x16: 3666666666646466 x15: 393d61766f69202c x14: 312d3d7361203a70 x13: 303030323d6e656c x12: ffff80008324bf58 x11: 0000000000000003 x10: 0000000000000002 x9 : ffff8000801a6a9c x8 : ffff00080360b300 x7 : 0000000000000000 x6 : 000000088aa35fc7 x5 : fff1000080000000 x4 : ffff8000842ddd30 x3 : 0000000000000001 x2 : 0000000100000000 x1 : 0000000000000001 x0 : 0000000000000078 Call trace: panthor_gpuva_sm_step_remap+0xe4/0x330 [panthor] op_remap_cb.isra.22+0x50/0x80 __drm_gpuvm_sm_unmap+0x10c/0x1c8 drm_gpuvm_sm_unmap+0x40/0x60 panthor_vm_exec_op+0xb4/0x3d0 [panthor] panthor_vm_bind_exec_sync_op+0x154/0x278 [panthor] panthor_ioctl_vm_bind+0x160/0x4a0 [panthor] drm_ioctl_kernel+0xbc/0x138 drm_ioctl+0x240/0x500 __arm64_sys_ioctl+0xb0/0xf8 invoke_syscall+0x4c/0x110 el0_svc_common.constprop.1+0x98/0xf8 do_el0_svc+0x24/0x38 el0_svc+0x40/0xf8 el0t_64_sync_handler+0xa0/0xc8 el0t_64_sync+0x174/0x178

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Partial unmap of a GPU VA region in Linux kernel's Panthor driver leads to a NULL pointer dereference and kernel panic.

Root

Cause

The Panthor DRM driver in the Linux kernel contains a bug in its handling of partial unmapping of a GPU virtual address (VA region. When userspace issues a partial unmap via the VM_BIND interface, the driver pre-allocates memory for new drm_gpuva structures that might be needed during the operation. The code incorrectly assumed only one new structure would be needed, but a partial unmap can require two. This mismatch leads to a NULL pointer dereference when the second structure is accessed, causing a kernel panic. [1]

Exploitation

An attacker with the ability to issue DRM VM_BIND ioctls to a Panthor GPU device can trigger this vulnerability. No special privileges beyond access to the device are required. The attacker crafts a partial unmap request on a previously mapped buffer object, causing the driver to reach the unexpected code path. No special network position is needed—local access to the kernel through the DRM subsystem is sufficient. [1]

Impact

Successful exploitation results in a denial of service via kernel crash. The provided crash dump shows a NULL pointer dereference at panthor_gpuva_sm_step_remap+0xe4. The impact is limited to system availability; based on available information, there is no indication of privilege escalation or code execution. [1]

Mitigation

The fix is included in the Linux kernel commit referenced. Users should update to a kernel version that contains the patch. For systems using distribution kernels, apply the respective security updates. No workaround is available other than restricting access to the DRM subsystem. [1]

References
  1. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Linux/Kernelinferred2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)

Patches

3
efe6dced3512
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
e9c19d19dd7e
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
4eabd0d8791e
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.