CVE-2025-68732
Description
In the Linux kernel, the following vulnerability has been resolved:
gpu: host1x: Fix race in syncpt alloc/free
Fix race condition between host1x_syncpt_alloc() and host1x_syncpt_put() by using kref_put_mutex() instead of kref_put() + manual mutex locking.
This ensures no thread can acquire the syncpt_mutex after the refcount drops to zero but before syncpt_release acquires it. This prevents races where syncpoints could be allocated while still being cleaned up from a previous release.
Remove explicit mutex locking in syncpt_release as kref_put_mutex() handles this atomically.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Race condition in Linux kernel host1x syncpoint alloc/free due to non-atomic locking, enabling use-after-free and potential privilege escalation.
Vulnerability
A race condition exists in the Linux kernel's host1x driver between host1x_syncpt_alloc() and host1x_syncpt_put(). The original code used kref_put() followed by manual mutex locking, which is not atomic. This allows a thread to allocate a syncpoint after its reference count has dropped to zero but before the mutex is acquired by the cleaning thread, leading to a use-after-free scenario.
Exploitation
Exploitation requires local access to the host1x driver, typically through the graphics subsystem. An attacker can trigger concurrent syncpoint allocation and deallocation, for example via crafted IOCTL calls. No special privileges beyond user-level access to the device are needed, but the attack must be timed precisely.
Impact
Successful exploitation can cause memory corruption or a system crash. In a worst-case scenario, an attacker may leverage the use-after-free to execute arbitrary code with kernel privileges, resulting in full system compromise.
Mitigation
The fix, applied in commit [1], replaces kref_put() and manual locking with kref_put_mutex(), ensuring atomic operation. The patch has been backported to stable kernel trees. Users should update to the latest kernel version.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- git.kernel.org/stable/c/4aeaece518fa4436af93d1d8b786200d9656ff4bnvd
- git.kernel.org/stable/c/4e6e07ce0197aecfb6c4a62862acc93b3efedeb7nvd
- git.kernel.org/stable/c/6245cce711e2cdb2cc75c0bb8632952e36f8c972nvd
- git.kernel.org/stable/c/79197c6007f2afbfd7bcf5b9b80ccabf8483d774nvd
- git.kernel.org/stable/c/c7d393267c497502fa737607f435f05dfe6e3d9bnvd
- git.kernel.org/stable/c/ca9388fba50dac2eb71c13702b7022a801bef90envd
- git.kernel.org/stable/c/d138f73ffb0c57ded473c577719e6e551b7b1f27nvd
News mentions
0No linked articles in our index yet.