CVE-2025-68747

Vulnerability

In the Linux kernel's Panthor DRM driver, a use-after-free (UAF) vulnerability exists in the virtual memory (VM) management code. When the Memory Management Unit (MMU) is down, panthor_vm_unmap_range() may return an error. The kernel expects the page table to be updated regardless, and if the MMU is blocked the rest of the GPU should also be blocked, so there is no risk of accessing freed physical memory. However, the error handling in the unmap path can bail out early, leaving the virtual address (VA) node still inserted in the drm_mm range allocator. This stale node leads to a use-after-free when other adjacent nodes are later removed from the drm_mm tree [1][1][2][3][4].

Exploitation

An attacker with local access and the ability to submit GPU commands (e.g., via a malicious DRM client) can trigger the MMU-down condition and cause panthor_vm_unmap_range() to fail. Because the cleanup does not proceed, the VA node remains in the allocator's data structures. Subsequent operations that manipulate the drm_mm tree can then access the freed node, resulting in a use-after-free][1][2][3][4].

Impact

A successful exploit could allow an attacker to corrupt kernel memory, potentially leading to privilege escalation or a denial of service (system crash). The vulnerability is local and requires the ability to interact with the Panthor DRM device][1][2][3][4].

Mitigation

The fix ensures that even when panthor_vm_unmap_range() returns an error, the cleanup proceeds to remove the VA node from the drm_mm tree, preventing the use-after-free. Patches have been applied to the Linux kernel stable branches][1][2][3][4]. Users should update their kernel to a version containing the fix.