VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 16, 2025· Updated Apr 15, 2026

CVE-2025-68193

CVE-2025-68193

Description

In the Linux kernel, the following vulnerability has been resolved:

drm/xe/guc: Add devm release action to safely tear down CT

When a buffer object (BO) is allocated with the XE_BO_FLAG_GGTT_INVALIDATE flag, the driver initiates TLB invalidation requests via the CTB mechanism while releasing the BO. However a premature release of the CTB BO can lead to system crashes, as observed in:

Oops: Oops: 0000 [#1] SMP NOPTI RIP: 0010:h2g_write+0x2f3/0x7c0 [xe] Call Trace: guc_ct_send_locked+0x8b/0x670 [xe] xe_guc_ct_send_locked+0x19/0x60 [xe] send_tlb_invalidation+0xb4/0x460 [xe] xe_gt_tlb_invalidation_ggtt+0x15e/0x2e0 [xe] ggtt_invalidate_gt_tlb.part.0+0x16/0x90 [xe] ggtt_node_remove+0x110/0x140 [xe] xe_ggtt_node_remove+0x40/0xa0 [xe] xe_ggtt_remove_bo+0x87/0x250 [xe]

Introduce a devm-managed release action during xe_guc_ct_init() and xe_guc_ct_init_post_hwconfig() to ensure proper CTB disablement before resource deallocation, preventing the use-after-free scenario.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In the Linux kernel's DRM/XE driver, a use-after-free in the GuC CTB mechanism could cause a system crash when TLB invalidation is attempted after the CTB buffer object is prematurely released.

Vulnerability

A use-after-free vulnerability exists in the Linux kernel's drm/xe driver, specifically in the GuC (Graphics micro-Controller) communication transport (CTB) mechanism. When a buffer object (BO) allocated with the XE_BO_FLAG_GGTT_INVALIDATE flag is released, the driver initiates TLB invalidation requests via the CTB mechanism. If the CTB buffer object itself is freed before the TLB invalidation completes, a race condition allows access to freed memory, leading to a system crash [1].

Exploitation

The attack surface is accessible to a local user with sufficient privileges to trigger buffer object allocation and deallocation with the GGTT_INVALIDATE flag in the XE driver. The vulnerability does not require any special network access but does require the ability to interact with the DRM subsystem. The root cause is the lack of proper ordering: the CTB buffer object could be released while TLB invalidation requests were still in-flight, causing a use-after-free in functions like h2g_write and guc_ct_send_locked [1].

Impact

An attacker who successfully triggers the race condition could cause a denial of service (system crash, kernel panic) due to memory corruption. The call trace shows the crash occurs in the xe kernel module during GGTT page table manipulation [1]. No privilege escalation is described, but the crash can render the system unusable.

Mitigation

The fix, introduced in commit ee4b32220a6b (Linux kernel stable branch), adds a devm-managed release action during xe_guc_ct_init() and xe_guc_ct_init_post_hwconfig() to ensure the CTB is safely disabled before the buffer object is deallocated, preventing the use-after-free scenario. Users are advised to apply the latest stable kernel updates containing this patch [1].

References
  1. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.