Home

Description

In the Linux kernel, the following vulnerability has been resolved: drm/nouveau: fix a use-after-free in r535_gsp_rpc_push() The RPC container is released after being passed to r535_gsp_rpc_send(). When sending the initial fragment of a large RPC and passing the caller's RPC container, the container will be freed prematurely. Subsequent attempts to send remaining fragments will therefore result in a use-after-free. Allocate a temporary RPC container for holding the initial fragment of a large RPC when sending. Free the caller's container when all fragments are successfully sent. [ Rebase onto Blackwell changes. - Danilo ]

PUBLISHED Reserved 2025-04-16 | Published 2025-07-04 | Updated 2026-05-11 | Assigner Linux

Product status

Default status
unaffected

176fdcbddfd288408ce8571c1760ad618d962096 (git) before cd4677407c0ee250fc21e36439c8a442ddd62cc1
affected

176fdcbddfd288408ce8571c1760ad618d962096 (git) before 9802f0a63b641f4cddb2139c814c2e95cb825099
affected

Default status
affected

6.7
affected

Any version before 6.7
unaffected

6.15.4 (semver)
unaffected

6.16 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/cd4677407c0ee250fc21e36439c8a442ddd62cc1

git.kernel.org/...c/9802f0a63b641f4cddb2139c814c2e95cb825099

cve.org (CVE-2025-38187)

nvd.nist.gov (CVE-2025-38187)

Download JSON