CVE-2025-40276

Vulnerability description

The drm/panthor driver, which supports Arm Mali-based GPUs in the Linux kernel, contains a missing cache coherency step when allocating and mapping shmem-backed buffer objects. The vulnerability arises because the shmem layer initializes freshly allocated pages (zeroes them) using cached CPU mappings. When these pages are subsequently mapped as CPU-uncached for the GPU, any dirty cache lines left from the initialization are not flushed. The description [1] states this can lead to "potential data leaks and/or asynchronous buffer corruption when dirty cachelines are evicted."

Exploitation prerequisites

Exploitation does not require special privileges beyond normal GPU access (e.g., via a DRM file descriptor). An attacker would need to be able to submit GPU workloads that allocate or use panthor buffers, which is possible from user space on systems where the panthor driver is loaded. The bug is triggered during normal buffer allocation and mapping operations, without requiring any unusual hardware setup.

Impact

If exploited, the vulnerability can result in two primary consequences. First, stale cache data (which may contain information from other kernel or user-space activities) can be exposed to the GPU or to CPU reads via the uncached mapping, leading to information disclosure. Second, when dirty cache lines are eventually evicted to memory, they can overwrite the intended buffer contents, causing asynchronous corruption of GPU-accessible data.

Mitigation status

The fix is included in upstream Linux stable kernels. Stable commit [1] and [2] reference the specific patches that add the necessary cache flush. Users should update to a kernel version containing these patches. No workaround is available without patching the kernel, so updating is the recommended action.