CVE-2025-68181
Description
In the Linux kernel, the following vulnerability has been resolved:
drm/radeon: Remove calls to drm_put_dev()
Since the allocation of the drivers main structure was changed to devm_drm_dev_alloc() drm_put_dev()'ing to trigger it to be free'd should be done by devres.
However, drm_put_dev() is still in the probe error and device remove paths. When the driver fails to probe warnings like the following are shown because devres is trying to drm_put_dev() after the driver already did it.
[ 5.642230] radeon 0000:01:05.0: probe with driver radeon failed with error -22 [ 5.649605] ------------[ cut here ]------------ [ 5.649607] refcount_t: underflow; use-after-free. [ 5.649620] WARNING: CPU: 0 PID: 357 at lib/refcount.c:28 refcount_warn_saturate+0xbe/0x110
(cherry picked from commit 3eb8c0b4c091da0a623ade0d3ee7aa4a93df1ea4)
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A use-after-free bug in the Linux radeon driver occurs when double-freeing via both drm_put_dev() and devres after a probe failure.
Root
Cause
The commit addresses a use-after-free bug in the Linux kernel's drm/radeon driver. The driver's main structure allocation was changed to devm_drm_dev_alloc(), which means its lifetime is managed by the devres framework and should be freed automatically. However, the probe error and device removal paths still contained explicit calls to drm_put_dev(). This leads to a double-free scenario when the driver fails to probe: first by the explicit drm_put_dev() call, and then again by devres, triggering a refcount underflow warning and potential use-after-free [1].
Exploitation
This vulnerability is triggered during driver probe failure on affected systems, such as when an unsupported or malfunctioning Radeon GPU is encountered. The attacker would need to cause the driver to fail probing, for example by passing a malformed device or exploiting hardware configuration. No authentication is required, but the attack surface is local or physical access to influence device enumeration [1].
Impact
The primary impact is a kernel memory safety issue: a refcount underflow leading to a use-after-free condition. This can result in a denial of service (kernel panic or crash) and, in theory, could be leveraged for local privilege escalation if an attacker can control the freed memory. The warning message explicitly shows a refcount underflow, confirming the double-free [1].
Mitigation
The fix, introduced in Linux kernel commit 3eb8c0b4c091da0a623ade0d3ee7aa4a93df1ea4 and backported as ec18f6b2c743cc471b2539ddb5caed20a012e640, removes the explicit drm_put_dev() calls from the probe error and remove paths, allowing devres to handle cleanup safely. Users should apply the stable kernel update containing this commit. No workaround is available other than avoiding hardware that triggers the probe failure or using mitigation techniques like KASLR [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.