CVE-2025-68730

Vulnerability

Description

In the Linux kernel's accel/ivpu driver, the function ivpu_gem_create_object() adds a newly created buffer object (BO) to the vdev->bo_list before the underlying drm_gem_shmem_create() call has fully completed. If that call fails (e.g., due to memory allocation errors), the partially-created BO is freed, but it remains in the list. This dangling pointer leads to a use-after-free condition when the list is subsequently traversed by functions such as ivpu_bo_unbind_all_bos_from_context(), causing a page fault [1].

Attack

Vector

The vulnerability can be triggered by an attacker that is able to cause a failure in BO creation within the VPU driver. This may be achieved through local access that exhausts memory or other resources, or by exploiting race conditions. No authentication is required other than the ability to interact with the VPU subsystem (typically requiring local user access). The attack surface is limited to systems using the Intel VPU accelerator hardware and the affected kernel version.

Impact

Successful exploitation results in a kernel page fault, leading to a system crash or denial of service. In some cases, memory corruption could occur, potentially allowing privilege escalation, but the primary impact is on system availability.

Mitigation

The fix has been applied in the Linux kernel via commit [1], which moves the list insertion to occur only after drm_gem_shmem_create() succeeds. Users should update their kernels to include this patch. There is no known workaround other than applying the update.