{
  "threat_severity" : "Moderate",
  "public_date" : "2025-09-05T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: drm/xe: Fix vm_bind_ioctl double free bug",
    "id" : "2393488",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2393488"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.0",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-763",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\ndrm/xe: Fix vm_bind_ioctl double free bug\nIf the argument check during an array bind fails, the bind_ops are freed\ntwice as seen below. Fix this by setting bind_ops to NULL after freeing.\n==================================================================\nBUG: KASAN: double-free in xe_vm_bind_ioctl+0x1b2/0x21f0 [xe]\nFree of addr ffff88813bb9b800 by task xe_vm/14198\nCPU: 5 UID: 0 PID: 14198 Comm: xe_vm Not tainted 6.16.0-xe-eudebug-cmanszew+ #520 PREEMPT(full)\nHardware name: Intel Corporation Alder Lake Client Platform/AlderLake-P DDR5 RVP, BIOS ADLPFWI1.R00.2411.A02.2110081023 10/08/2021\nCall Trace:\n<TASK>\ndump_stack_lvl+0x82/0xd0\nprint_report+0xcb/0x610\n? __virt_addr_valid+0x19a/0x300\n? xe_vm_bind_ioctl+0x1b2/0x21f0 [xe]\nkasan_report_invalid_free+0xc8/0xf0\n? xe_vm_bind_ioctl+0x1b2/0x21f0 [xe]\n? xe_vm_bind_ioctl+0x1b2/0x21f0 [xe]\ncheck_slab_allocation+0x102/0x130\nkfree+0x10d/0x440\n? should_fail_ex+0x57/0x2f0\n? xe_vm_bind_ioctl+0x1b2/0x21f0 [xe]\nxe_vm_bind_ioctl+0x1b2/0x21f0 [xe]\n? __pfx_xe_vm_bind_ioctl+0x10/0x10 [xe]\n? __lock_acquire+0xab9/0x27f0\n? lock_acquire+0x165/0x300\n? drm_dev_enter+0x53/0xe0 [drm]\n? find_held_lock+0x2b/0x80\n? drm_dev_exit+0x30/0x50 [drm]\n? drm_ioctl_kernel+0x128/0x1c0 [drm]\ndrm_ioctl_kernel+0x128/0x1c0 [drm]\n? __pfx_xe_vm_bind_ioctl+0x10/0x10 [xe]\n? find_held_lock+0x2b/0x80\n? __pfx_drm_ioctl_kernel+0x10/0x10 [drm]\n? should_fail_ex+0x57/0x2f0\n? __pfx_xe_vm_bind_ioctl+0x10/0x10 [xe]\ndrm_ioctl+0x352/0x620 [drm]\n? __pfx_drm_ioctl+0x10/0x10 [drm]\n? __pfx_rpm_resume+0x10/0x10\n? do_raw_spin_lock+0x11a/0x1b0\n? find_held_lock+0x2b/0x80\n? __pm_runtime_resume+0x61/0xc0\n? rcu_is_watching+0x20/0x50\n? trace_irq_enable.constprop.0+0xac/0xe0\nxe_drm_ioctl+0x91/0xc0 [xe]\n__x64_sys_ioctl+0xb2/0x100\n? rcu_is_watching+0x20/0x50\ndo_syscall_64+0x68/0x2e0\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0033:0x7fa9acb24ded\n(cherry picked from commit a01b704527c28a2fd43a17a85f8996b75ec8492a)" ],
  "statement" : "This vulnerability can in theory be triggered by a non-privileged user as the primary requirements are:\n1. Access to GPU devices (usually possible if the user is part of the `video`/`render` groups);\n2. The ability to interface with DRM ioctl operations (a standard GPU programming interface available to non-privileged users); \n3. Execute GPU virtual memory operations (creating address spaces and submitting bind operations).",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2026-02-02T00:00:00Z",
    "advisory" : "RHSA-2026:1690",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.1",
    "package" : "kernel-0:6.12.0-124.31.1.el10_1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-01-26T00:00:00Z",
    "advisory" : "RHSA-2026:1143",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-611.26.1.el9_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-01-26T00:00:00Z",
    "advisory" : "RHSA-2026:1143",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-611.26.1.el9_7"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-38731\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-38731\nhttps://lore.kernel.org/linux-cve-announce/2025090541-CVE-2025-38731-9537@gregkh/T" ],
  "name" : "CVE-2025-38731",
  "csaw" : false
}