We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2025-38187

drm/nouveau: fix a use-after-free in r535_gsp_rpc_push()



Description

In the Linux kernel, the following vulnerability has been resolved: drm/nouveau: fix a use-after-free in r535_gsp_rpc_push() The RPC container is released after being passed to r535_gsp_rpc_send(). When sending the initial fragment of a large RPC and passing the caller's RPC container, the container will be freed prematurely. Subsequent attempts to send remaining fragments will therefore result in a use-after-free. Allocate a temporary RPC container for holding the initial fragment of a large RPC when sending. Free the caller's container when all fragments are successfully sent. [ Rebase onto Blackwell changes. - Danilo ]

Reserved 2025-04-16 | Published 2025-07-04 | Updated 2025-07-04 | Assigner Linux

Product status

Default status
unaffected

176fdcbddfd288408ce8571c1760ad618d962096 before cd4677407c0ee250fc21e36439c8a442ddd62cc1
affected

176fdcbddfd288408ce8571c1760ad618d962096 before 9802f0a63b641f4cddb2139c814c2e95cb825099
affected

Default status
affected

6.7
affected

Any version before 6.7
unaffected

6.15.4
unaffected

6.16-rc3
unaffected

References

git.kernel.org/...c/cd4677407c0ee250fc21e36439c8a442ddd62cc1

git.kernel.org/...c/9802f0a63b641f4cddb2139c814c2e95cb825099

cve.org (CVE-2025-38187)

nvd.nist.gov (CVE-2025-38187)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2025-38187

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.