CVE-2025-68735
Description
In the Linux kernel, the following vulnerability has been resolved:
drm/panthor: Prevent potential UAF in group creation
This commit prevents the possibility of a use after free issue in the GROUP_CREATE ioctl function, which arose as pointer to the group is accessed in that ioctl function after storing it in the Xarray. A malicious userspace can second guess the handle of a group and try to call GROUP_DESTROY ioctl from another thread around the same time as GROUP_CREATE ioctl.
To prevent the use after free exploit, this commit uses a mark on an entry of group pool Xarray which is added just before returning from the GROUP_CREATE ioctl function. The mark is checked for all ioctls that specify the group handle and so userspace won't be abe to delete a group that isn't marked yet.
v2: Add R-bs and fixes tags
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A use-after-free in Linux kernel's Panthor DRM driver allows local privilege escalation via a race condition in group creation and destruction ioctls.
In the Linux kernel's Panthor DRM driver, a use-after-free vulnerability (CVE-2025-68735) exists in the GROUP_CREATE ioctl function. The root cause is a race condition where a pointer to a newly created group is stored in an Xarray before the group is fully initialized. A malicious userspace can guess the group handle and concurrently call GROUP_DESTROY from another thread, freeing the group while it is still being accessed in the creation path [1].
Exploitation
The attack requires local access to the Panthor DRM device and the ability to execute ioctl calls from multiple threads. The attacker sends a GROUP_CREATE ioctl and, simultaneously invokes GROUP_DESTROY with a guessed handle corresponding to the newly allocated but not yet marked group. No special privileges beyond access to the device node are needed [1].
Impact
Successful exploitation triggers a use-after-free on a driver-allocated object, which can lead to memory corruption and potentially arbitrary code execution in kernel context. This grants the attacker elevated privileges, such as root access or escape from container boundaries, depending on the system configuration [1].
Mitigation
The fix adds a mark on the Xarray entry just before the GROUP_CREATE ioctl returns. All ioctls that operate on a group handle now check for this mark, preventing deletion or use of a group that is not fully marked. The patch is included in the Linux kernel stable tree [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.