CVE-2025-68326

Root

Cause The vulnerability is a missing stack_depot_init() call in the Linux kernel's drm/xe/guc driver when CONFIG_DRM_XE_DEBUG_GUC is enabled. Without this initialization, subsequent calls to stack_depot_save_flags() — triggered from fast_req_track() in the GPU scheduler workqueue — attempt to access uninitialized stack depot metadata, leading to a NULL pointer dereference at address 0x0000000000000000 [1].

Exploitation

Prerequisites Exploitation requires a system running a Linux kernel built with CONFIG_DRM_XE_DEBUG_GUC=y and the xe kernel module loaded to drive Intel GPUs. The attacker would need to trigger GPU job submissions that cause the crash path to execute; this can be achieved by unprivileged users if they can access the GPU via DRM render nodes, though some configurations may require local user access to the /dev/dri/renderD* device. The crash manifests when the GPU scheduler workqueue runs fast_req_track(), which calls stack_depot_save_flags() before the stack depot subsystem has been initialized.

Impact

A successful trigger results in a kernel NULL pointer dereference, causing an immediate system crash (kernel panic or oops). This is a denial-of-service condition affecting system availability. The vulnerability does not directly allow arbitrary code execution or privilege escalation based on the available description [1].

Mitigation

The fix is included in upstream Linux kernel commits (cherry-pick from 64fdf496a6929a0a194387d2bb5efaf5da2b542f) and stable kernels that incorporate the patch. Users should apply kernel updates from their distribution. No workaround other than disabling CONFIG_DRM_XE_DEBUG_GUC (which removes debug tracing) is known. The CVE is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.