VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 8, 2025· Updated Apr 15, 2026

CVE-2025-40316

CVE-2025-40316

Description

In the Linux kernel, the following vulnerability has been resolved:

drm/mediatek: Fix device use-after-free on unbind

A recent change fixed device reference leaks when looking up drm platform device driver data during bind() but failed to remove a partial fix which had been added by commit 80805b62ea5b ("drm/mediatek: Fix kobject put for component sub-drivers").

This results in a reference imbalance on component bind() failures and on unbind() which could lead to a user-after-free.

Make sure to only drop the references after retrieving the driver data by effectively reverting the previous partial fix.

Note that holding a reference to a device does not prevent its driver data from going away so there is no point in keeping the reference.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A use-after-free vulnerability in the Linux kernel's Mediatek DRM driver arises from a reference imbalance during component bind/unbind, potentially allowing privilege escalation.

Vulnerability

Overview

CVE-2025-40316 is a use-after-free vulnerability in the Linux kernel's drm/mediatek driver. The root cause is a reference imbalance introduced when a recent patch fixed device reference leaks during bind() but failed to remove a prior partial fix (commit 80805b62ea5b). This imbalance occurs on component bind failures and during unbind, leading to a situation where a device reference is dropped prematurely while the driver data is still in use, resulting in a use-after-free condition [1].

Exploitation

Exploitation requires the ability to trigger component bind failures or unbind operations on a system using the Mediatek DRM driver. An attacker with local access and sufficient privileges (e.g., ability to load/unload kernel modules or manipulate DRM device state) could induce the reference imbalance. No special network position is needed; the attack surface is local. The vulnerability does not require authentication beyond normal user access to DRM interfaces.

Impact

A successful exploit could allow an attacker to corrupt kernel memory, potentially leading to privilege escalation, denial of service, or arbitrary code execution in kernel context. The use-after-free affects the device structure, which may be leveraged to gain control of kernel execution flow.

Mitigation

The fix, included in Linux kernel stable updates, reverts the incomplete partial fix to ensure proper reference counting. Users should apply the latest kernel updates from their distribution or the mainline kernel containing commit a5a896f8315de358a2932e2c23c42d550256046a [1]. No workarounds are documented; updating the kernel is the recommended mitigation.

References
  1. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Linux/Kernelinferred2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)

Patches

4
a5a896f8315d
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
0142fe895986
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
8ba827e09eb5
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
926d002e6d7e
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.