CVE-2025-37765: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: drm/nouveau: prime: fix ttm_bo_delayed_delete oops Fix an oops in ttm_bo_delayed_delete which results from dererencing a dangling pointer: Oops: general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b7b: 0000 [#1] PREEMPT SMP CPU: 4 UID: 0 PID: 1082 Comm: kworker/u65:2 Not tainted 6.14.0-rc4-00267-g505460b44513-dirty #216 Hardware name: LENOVO 82N6/LNVNB161216, BIOS GKCN65WW 01/16/2024 Workqueue: ttm ttm_bo_delayed_delete [ttm] RIP: 0010:dma_resv_iter_first_unlocked+0x55/0x290 Code: 31 f6 48 c7 c7 00 2b fa aa e8 97 bd 52 ff e8 a2 c1 53 00 5a 85 c0 74 48 e9 88 01 00 00 4c 89 63 20 4d 85 e4 0f 84 30 01 00 00 <41> 8b 44 24 10 c6 43 2c 01 48 89 df 89 43 28 e8 97 fd ff ff 4c 8b RSP: 0018:ffffbf9383473d60 EFLAGS: 00010202 RAX: 0000000000000001 RBX: ffffbf9383473d88 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffbf9383473d78 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 6b6b6b6b6b6b6b6b R13: ffffa003bbf78580 R14: ffffa003a6728040 R15: 00000000000383cc FS: 0000000000000000(0000) GS:ffffa00991c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000758348024dd0 CR3: 000000012c259000 CR4: 0000000000f50ef0 PKRU: 55555554 Call Trace: <TASK> ? __die_body.cold+0x19/0x26 ? die_addr+0x3d/0x70 ? exc_general_protection+0x159/0x460 ? asm_exc_general_protection+0x27/0x30 ? dma_resv_iter_first_unlocked+0x55/0x290 dma_resv_wait_timeout+0x56/0x100 ttm_bo_delayed_delete+0x69/0xb0 [ttm] process_one_work+0x217/0x5c0 worker_thread+0x1c8/0x3d0 ? apply_wqattrs_cleanup.part.0+0xc0/0xc0 kthread+0x10b/0x240 ? kthreads_online_cpu+0x140/0x140 ret_from_fork+0x40/0x70 ? kthreads_online_cpu+0x140/0x140 ret_from_fork_asm+0x11/0x20 </TASK> The cause of this is: - drm_prime_gem_destroy calls dma_buf_put(dma_buf) which releases the reference to the shared dma_buf. The reference count is 0, so the dma_buf is destroyed, which in turn decrements the corresponding amdgpu_bo reference count to 0, and the amdgpu_bo is destroyed - calling drm_gem_object_release then dma_resv_fini (which destroys the reservation object), then finally freeing the amdgpu_bo. - nouveau_bo obj->bo.base.resv is now a dangling pointer to the memory formerly allocated to the amdgpu_bo. - nouveau_gem_object_del calls ttm_bo_put(&nvbo->bo) which calls ttm_bo_release, which schedules ttm_bo_delayed_delete. - ttm_bo_delayed_delete runs and dereferences the dangling resv pointer, resulting in a general protection fault. Fix this by moving the drm_prime_gem_destroy call from nouveau_gem_object_del to nouveau_bo_del_ttm. This ensures that it will be run after ttm_bo_delayed_delete.
AI Analysis
Technical Summary
CVE-2025-37765 is a vulnerability in the Linux kernel's Direct Rendering Manager (DRM) subsystem, specifically within the nouveau driver which handles NVIDIA GPUs. The flaw arises from improper handling of memory references during buffer object deletion in the ttm_bo_delayed_delete function. The root cause is a use-after-free condition triggered by a dangling pointer dereference. When drm_prime_gem_destroy releases a dma_buf reference, it can lead to the destruction of an amdgpu_bo object and its associated reservation object. However, the nouveau driver retains a pointer to this now-freed memory. Subsequently, when nouveau_gem_object_del calls ttm_bo_put, it schedules ttm_bo_delayed_delete, which dereferences this dangling pointer, causing a general protection fault (kernel oops). This results in a kernel crash due to accessing invalid memory addresses. The fix involves reordering the call to drm_prime_gem_destroy, moving it from nouveau_gem_object_del to nouveau_bo_del_ttm, ensuring the destruction occurs after ttm_bo_delayed_delete has completed, thus preventing the use-after-free scenario. This vulnerability affects Linux kernel versions identified by the commit hash 22b33e8ed0e38b8ddcf082e35580f2e67a3a0262 and likely related versions around the 6.14.0-rc4 release cycle. The issue is technical and specific to the interaction between the nouveau and amdgpu drivers in the DRM subsystem, impacting systems using these open-source GPU drivers.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with the affected nouveau and amdgpu drivers, commonly found in workstations, servers, and embedded devices utilizing NVIDIA and AMD GPUs respectively. Exploitation leads to kernel crashes (general protection faults), resulting in denial of service (DoS) conditions. This can disrupt critical services, especially in environments relying on GPU acceleration for compute tasks, graphics rendering, or virtualization. While the vulnerability does not appear to allow privilege escalation or arbitrary code execution directly, repeated crashes could degrade system availability and reliability. Organizations in sectors such as finance, manufacturing, research, and public services that depend on Linux-based infrastructure with GPU hardware are at risk. The vulnerability could also be leveraged as part of a multi-stage attack to cause instability or to distract from other malicious activities. Given the kernel-level nature, recovery from crashes may require reboots, impacting operational continuity. The lack of known exploits in the wild currently limits immediate risk, but the technical details are public, enabling potential future exploitation.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions where this vulnerability is patched, specifically incorporating the fix that reorders drm_prime_gem_destroy calls within the nouveau driver. Kernel updates from trusted Linux distributions (e.g., Debian, Ubuntu, Red Hat, SUSE) should be applied promptly. For environments where immediate patching is not feasible, consider disabling or limiting the use of affected GPU drivers (nouveau and amdgpu) if GPU functionality is not critical. Implement kernel crash monitoring and automated recovery mechanisms to reduce downtime impact. Additionally, conduct thorough testing of GPU driver updates in staging environments to ensure stability before production deployment. Organizations should also audit systems to identify Linux hosts using the affected kernel versions and GPU drivers. Employing kernel lockdown features and restricting unprivileged user access to GPU device files can reduce the risk of exploitation. Finally, maintain vigilance for any emerging exploit reports or patches related to this CVE and integrate them into security operations promptly.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain
CVE-2025-37765: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: drm/nouveau: prime: fix ttm_bo_delayed_delete oops Fix an oops in ttm_bo_delayed_delete which results from dererencing a dangling pointer: Oops: general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b7b: 0000 [#1] PREEMPT SMP CPU: 4 UID: 0 PID: 1082 Comm: kworker/u65:2 Not tainted 6.14.0-rc4-00267-g505460b44513-dirty #216 Hardware name: LENOVO 82N6/LNVNB161216, BIOS GKCN65WW 01/16/2024 Workqueue: ttm ttm_bo_delayed_delete [ttm] RIP: 0010:dma_resv_iter_first_unlocked+0x55/0x290 Code: 31 f6 48 c7 c7 00 2b fa aa e8 97 bd 52 ff e8 a2 c1 53 00 5a 85 c0 74 48 e9 88 01 00 00 4c 89 63 20 4d 85 e4 0f 84 30 01 00 00 <41> 8b 44 24 10 c6 43 2c 01 48 89 df 89 43 28 e8 97 fd ff ff 4c 8b RSP: 0018:ffffbf9383473d60 EFLAGS: 00010202 RAX: 0000000000000001 RBX: ffffbf9383473d88 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffbf9383473d78 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 6b6b6b6b6b6b6b6b R13: ffffa003bbf78580 R14: ffffa003a6728040 R15: 00000000000383cc FS: 0000000000000000(0000) GS:ffffa00991c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000758348024dd0 CR3: 000000012c259000 CR4: 0000000000f50ef0 PKRU: 55555554 Call Trace: <TASK> ? __die_body.cold+0x19/0x26 ? die_addr+0x3d/0x70 ? exc_general_protection+0x159/0x460 ? asm_exc_general_protection+0x27/0x30 ? dma_resv_iter_first_unlocked+0x55/0x290 dma_resv_wait_timeout+0x56/0x100 ttm_bo_delayed_delete+0x69/0xb0 [ttm] process_one_work+0x217/0x5c0 worker_thread+0x1c8/0x3d0 ? apply_wqattrs_cleanup.part.0+0xc0/0xc0 kthread+0x10b/0x240 ? kthreads_online_cpu+0x140/0x140 ret_from_fork+0x40/0x70 ? kthreads_online_cpu+0x140/0x140 ret_from_fork_asm+0x11/0x20 </TASK> The cause of this is: - drm_prime_gem_destroy calls dma_buf_put(dma_buf) which releases the reference to the shared dma_buf. The reference count is 0, so the dma_buf is destroyed, which in turn decrements the corresponding amdgpu_bo reference count to 0, and the amdgpu_bo is destroyed - calling drm_gem_object_release then dma_resv_fini (which destroys the reservation object), then finally freeing the amdgpu_bo. - nouveau_bo obj->bo.base.resv is now a dangling pointer to the memory formerly allocated to the amdgpu_bo. - nouveau_gem_object_del calls ttm_bo_put(&nvbo->bo) which calls ttm_bo_release, which schedules ttm_bo_delayed_delete. - ttm_bo_delayed_delete runs and dereferences the dangling resv pointer, resulting in a general protection fault. Fix this by moving the drm_prime_gem_destroy call from nouveau_gem_object_del to nouveau_bo_del_ttm. This ensures that it will be run after ttm_bo_delayed_delete.
AI-Powered Analysis
Technical Analysis
CVE-2025-37765 is a vulnerability in the Linux kernel's Direct Rendering Manager (DRM) subsystem, specifically within the nouveau driver which handles NVIDIA GPUs. The flaw arises from improper handling of memory references during buffer object deletion in the ttm_bo_delayed_delete function. The root cause is a use-after-free condition triggered by a dangling pointer dereference. When drm_prime_gem_destroy releases a dma_buf reference, it can lead to the destruction of an amdgpu_bo object and its associated reservation object. However, the nouveau driver retains a pointer to this now-freed memory. Subsequently, when nouveau_gem_object_del calls ttm_bo_put, it schedules ttm_bo_delayed_delete, which dereferences this dangling pointer, causing a general protection fault (kernel oops). This results in a kernel crash due to accessing invalid memory addresses. The fix involves reordering the call to drm_prime_gem_destroy, moving it from nouveau_gem_object_del to nouveau_bo_del_ttm, ensuring the destruction occurs after ttm_bo_delayed_delete has completed, thus preventing the use-after-free scenario. This vulnerability affects Linux kernel versions identified by the commit hash 22b33e8ed0e38b8ddcf082e35580f2e67a3a0262 and likely related versions around the 6.14.0-rc4 release cycle. The issue is technical and specific to the interaction between the nouveau and amdgpu drivers in the DRM subsystem, impacting systems using these open-source GPU drivers.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with the affected nouveau and amdgpu drivers, commonly found in workstations, servers, and embedded devices utilizing NVIDIA and AMD GPUs respectively. Exploitation leads to kernel crashes (general protection faults), resulting in denial of service (DoS) conditions. This can disrupt critical services, especially in environments relying on GPU acceleration for compute tasks, graphics rendering, or virtualization. While the vulnerability does not appear to allow privilege escalation or arbitrary code execution directly, repeated crashes could degrade system availability and reliability. Organizations in sectors such as finance, manufacturing, research, and public services that depend on Linux-based infrastructure with GPU hardware are at risk. The vulnerability could also be leveraged as part of a multi-stage attack to cause instability or to distract from other malicious activities. Given the kernel-level nature, recovery from crashes may require reboots, impacting operational continuity. The lack of known exploits in the wild currently limits immediate risk, but the technical details are public, enabling potential future exploitation.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions where this vulnerability is patched, specifically incorporating the fix that reorders drm_prime_gem_destroy calls within the nouveau driver. Kernel updates from trusted Linux distributions (e.g., Debian, Ubuntu, Red Hat, SUSE) should be applied promptly. For environments where immediate patching is not feasible, consider disabling or limiting the use of affected GPU drivers (nouveau and amdgpu) if GPU functionality is not critical. Implement kernel crash monitoring and automated recovery mechanisms to reduce downtime impact. Additionally, conduct thorough testing of GPU driver updates in staging environments to ensure stability before production deployment. Organizations should also audit systems to identify Linux hosts using the affected kernel versions and GPU drivers. Employing kernel lockdown features and restricting unprivileged user access to GPU device files can reduce the risk of exploitation. Finally, maintain vigilance for any emerging exploit reports or patches related to this CVE and integrate them into security operations promptly.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-04-16T04:51:23.939Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9832c4522896dcbe838e
Added to database: 5/21/2025, 9:09:06 AM
Last enriched: 7/3/2025, 10:56:38 PM
Last updated: 8/5/2025, 7:36:45 AM
Views: 13
Related Threats
CVE-2025-50610: n/a
HighCVE-2025-50609: n/a
HighCVE-2025-50608: n/a
HighCVE-2025-55194: CWE-248: Uncaught Exception in Part-DB Part-DB-server
MediumCVE-2025-55197: CWE-400: Uncontrolled Resource Consumption in py-pdf pypdf
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.