CVE-2025-68314

Root

Cause

In the drm/msm driver for the Linux kernel, last_fence is a field used to wait for completion of work in vm-bind contexts. The vulnerability arises because last_fence was only updated in the kernel-managed path, but not in the vm-bind path. When a context is closed, the driver attempts to wait on last_fence to ensure all operations finish before freeing resources. If last_fence was never properly set (e.g., because the vm-bind path was used), the wait may be skipped or incomplete, leading to resources being freed while still in use — a classic use-after-free scenario [1].

Exploitation

An attacker with the ability to trigger vm-bind operations (which requires local user access to the GPU device and appropriate permissions to submit command submissions) can exploit this by intentionally closing a context while GPU operations that were bound via vm-bind are still executing. No special network access is needed; the attack vector is local, leveraging the GPU subsystem's ioctl interface. The prerequisite is that the kernel is running an affected version (before the fix commit was applied) [1].

Impact

Successful exploitation can lead to memory corruption (use-after-free) in the kernel's DRM/GPU subsystem. This may result in system crashes (denial of service), or potentially privilege escalation if the freed memory is reallocated and controlled by the attacker. The impact is considered high due to the possibility of arbitrary code execution in kernel context, although the specific exploitability for privilege escalation is not detailed in the references [1].

Mitigation

The fix was submitted to the Linux kernel stable tree via commit 86404a9e3013d814a772ac407573be5d3cd4ee0d (Patchwork 680080). This commit ensures that last_fence is also updated in the vm-bind path by moving the update into the vm-bind logic instead of relying solely on the kernel-managed path. Users should apply the latest kernel updates from their distribution to remediate this vulnerability [1].