{"id":"CVE-2025-38595","summary":"xen: fix UAF in dmabuf_exp_from_pages()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nxen: fix UAF in dmabuf_exp_from_pages()\n\n[dma_buf_fd() fixes; no preferences regarding the tree it goes through -\nup to xen folks]\n\nAs soon as we'd inserted a file reference into descriptor table, another\nthread could close it.  That's fine for the case when all we are doing is\nreturning that descriptor to userland (it's a race, but it's a userland\nrace and there's nothing the kernel can do about it).  However, if we\nfollow fd_install() with any kind of access to objects that would be\ndestroyed on close (be it the struct file itself or anything destroyed\nby its -\u003erelease()), we have a UAF.\n\ndma_buf_fd() is a combination of reserving a descriptor and fd_install().\ngntdev dmabuf_exp_from_pages() calls it and then proceeds to access the\nobjects destroyed on close - starting with gntdev_dmabuf itself.\n\nFix that by doing reserving descriptor before anything else and do\nfd_install() only when everything had been set up.","modified":"2026-04-02T12:48:02.834871Z","published":"2025-08-19T17:03:25.527Z","related":["SUSE-SU-2025:03600-1","SUSE-SU-2025:03601-1","SUSE-SU-2025:03602-1","SUSE-SU-2025:03633-1","SUSE-SU-2025:03634-1","SUSE-SU-2025:20851-1","SUSE-SU-2025:20861-1","SUSE-SU-2025:20870-1","SUSE-SU-2025:20898-1","SUSE-SU-2025:21074-1","SUSE-SU-2025:21139-1","SUSE-SU-2025:21179-1","SUSE-SU-2025:3725-1","SUSE-SU-2025:3751-1","openSUSE-SU-2025:20081-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38595.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/3edfd2353f301bfffd5ee41066e37320a59ccc2d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/532c8b51b3a8676cbf533a291f8156774f30ea87"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d59d49af4aeed9a81e673e37c26c6a3bacf1a181"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e5907885260401bba300d4d18d79875c05b82651"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38595.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38595"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"a240d6e42e28c34fdc34b3a98ca838a31c939901"},{"fixed":"e5907885260401bba300d4d18d79875c05b82651"},{"fixed":"3edfd2353f301bfffd5ee41066e37320a59ccc2d"},{"fixed":"d59d49af4aeed9a81e673e37c26c6a3bacf1a181"},{"fixed":"532c8b51b3a8676cbf533a291f8156774f30ea87"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-38595.json"}}],"schema_version":"1.7.5"}