CVE-2025-68170

Vulnerability

Overview

In the Linux kernel's drm/radeon driver, a use-after-free vulnerability exists due to improper memory management. The driver's main structure (rdev) was previously allocated with devm_drm_dev_alloc(), which makes it managed by devres (device resource management). However, the error path in the driver still called kfree() on this devres-managed pointer, leading to a double-free or use-after-free condition when the probe fails and devres subsequently attempts to clean up the already freed rdev [1].

Exploitation

Scenario

This bug is triggered during a driver probe failure. An attacker would need to cause the radeon driver to fail its initialization sequence, for a Radeon GPU device. This could be achieved through hardware misconfiguration, incompatible configurations or by inducing resource allocation failures. No special privileges are required beyond the ability to load the driver, which typically happens at boot or when a GPU device is hotplugged.

Impact

If triggered, the kernel may crash or behave unpredictably due to memory corruption. An attacker who can control the probe failure conditions could potentially exploit this to escalate privileges or cause a denial of service. The vulnerability is local and requires physical or administrative access to the system to trigger the driver probe.

Mitigation

The fix is included in Linux kernel commit 16c0681617b8 and its stable backport f7482516002a. The patch removes the erroneous kfree() call, allowing devres to properly manage the rdev lifetime. Users should update their kernel to a version containing this fix. No workarounds are available; the affected driver is part of the kernel and cannot be easily disabled without losing Radeon GPU support.