CVE-2025-38187

When sending the initial fragment of a large RPC and passing the caller's RPC container, the container will be freed prematurely. Subsequent attempts to send remaining fragments will therefore result in a use-after-free.

Allocate a temporary RPC container for holding the initial fragment of a large RPC when sending. Free the caller's container when all fragments are successfully sent.

[ Rebase onto Blackwell changes. - Danilo ]

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

176fdcbddfd288408ce8571c1760ad618d962096

Fixed

cd4677407c0ee250fc21e36439c8a442ddd62cc1

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

176fdcbddfd288408ce8571c1760ad618d962096

Fixed

9802f0a63b641f4cddb2139c814c2e95cb825099

Affected versions

v6.*

v6.10

v6.10-rc1

v6.10-rc2

v6.10-rc3

v6.10-rc4

v6.10-rc5

v6.10-rc6

v6.10-rc7

v6.11

v6.11-rc1

v6.11-rc2

v6.11-rc3

v6.11-rc4

v6.11-rc5

v6.11-rc6

v6.11-rc7

v6.12

v6.12-rc1

v6.12-rc2

v6.12-rc3

v6.12-rc4

v6.12-rc5

v6.12-rc6

v6.12-rc7

v6.13

v6.13-rc1

v6.13-rc2

v6.13-rc3

v6.13-rc4

v6.13-rc5

v6.13-rc6

v6.13-rc7

v6.14

v6.14-rc1

v6.14-rc2

v6.14-rc3

v6.14-rc4

v6.14-rc5

v6.14-rc6

v6.14-rc7

v6.15

v6.15-rc1

v6.15-rc2

v6.15-rc3

v6.15-rc4

v6.15-rc5

v6.15-rc6

v6.15-rc7

v6.15.1

v6.15.2

v6.15.3

v6.16-rc1

v6.6

v6.7

v6.7-rc1

v6.7-rc2

v6.7-rc3

v6.7-rc4

v6.7-rc5

v6.7-rc6

v6.7-rc7

v6.7-rc8

v6.8

v6.8-rc1

v6.8-rc2

v6.8-rc3

v6.8-rc4

v6.8-rc5

v6.8-rc6

v6.8-rc7

v6.9

v6.9-rc1

v6.9-rc2

v6.9-rc3

v6.9-rc4

v6.9-rc5

v6.9-rc6

v6.9-rc7

Database specific

vanir_signatures

[
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9802f0a63b641f4cddb2139c814c2e95cb825099",
        "signature_version": "v1",
        "digest": {
            "function_hash": "302799180269589382864106227395964719439",
            "length": 1193.0
        },
        "target": {
            "function": "r535_gsp_rpc_push",
            "file": "drivers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/rpc.c"
        },
        "id": "CVE-2025-38187-65a8123f",
        "deprecated": false,
        "signature_type": "Function"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@cd4677407c0ee250fc21e36439c8a442ddd62cc1",
        "signature_version": "v1",
        "digest": {
            "function_hash": "302799180269589382864106227395964719439",
            "length": 1193.0
        },
        "target": {
            "function": "r535_gsp_rpc_push",
            "file": "drivers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/rpc.c"
        },
        "id": "CVE-2025-38187-8d135473",
        "deprecated": false,
        "signature_type": "Function"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@cd4677407c0ee250fc21e36439c8a442ddd62cc1",
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "313905064198155412557348614138021951582",
                "91929028905955704004277443161885988700",
                "125393504417766830661036149551553324337",
                "306062951106131457483703903993707769440",
                "185813110761874356187480891931806872631",
                "219837748237914477569601115066977566482",
                "91871855134638869568330214760006316796",
                "70860937405214819094747918406680977577",
                "47798268099994756258492657734632882828",
                "39543813591935705357146940056431709505",
                "49841533522368945834558263647772118906",
                "99599289535472046074332958291934321743",
                "120161459148413086182060852323580012587",
                "123593775704724429332144278337962112972",
                "52147674713334586431634824839495518119"
            ]
        },
        "target": {
            "file": "drivers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/rpc.c"
        },
        "id": "CVE-2025-38187-90bcadd0",
        "deprecated": false,
        "signature_type": "Line"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9802f0a63b641f4cddb2139c814c2e95cb825099",
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "313905064198155412557348614138021951582",
                "91929028905955704004277443161885988700",
                "125393504417766830661036149551553324337",
                "306062951106131457483703903993707769440",
                "185813110761874356187480891931806872631",
                "219837748237914477569601115066977566482",
                "91871855134638869568330214760006316796",
                "70860937405214819094747918406680977577",
                "47798268099994756258492657734632882828",
                "39543813591935705357146940056431709505",
                "49841533522368945834558263647772118906",
                "99599289535472046074332958291934321743",
                "120161459148413086182060852323580012587",
                "123593775704724429332144278337962112972",
                "52147674713334586431634824839495518119"
            ]
        },
        "target": {
            "file": "drivers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/rpc.c"
        },
        "id": "CVE-2025-38187-a3beb3ce",
        "deprecated": false,
        "signature_type": "Line"
    }
]

CVE-2025-38187

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Affected versions

v6.*

Database specific

vanir_signatures

Linux / Kernel

Package

Affected ranges