{ "threat_severity" : "Moderate", "public_date" : "2025-06-18T00:00:00Z", "bugzilla" : { "description" : "kernel: Linux kernel: Denial of Service due to null pointer dereference in GT MMIO initialization for VFs", "id" : "2373359", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2373359" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "draft" }, "cwe" : "CWE-824", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\ndrm/xe/vf: Perform early GT MMIO initialization to read GMDID\nVFs need to communicate with the GuC to obtain the GMDID value\nand existing GuC functions used for that assume that the GT has\nit's MMIO members already setup. However, due to recent refactoring\nthe gt->mmio is initialized later, and any attempt by the VF to use\nxe_mmio_read|write() from GuC functions will lead to NPD crash due\nto unset MMIO register address:\n[] xe 0000:00:02.1: [drm] Running in SR-IOV VF mode\n[] xe 0000:00:02.1: [drm] GT0: sending H2G MMIO 0x5507\n[] BUG: unable to handle page fault for address: 0000000000190240\nSince we are already tweaking the id and type of the primary GT to\nmimic it's a Media GT before initializing the GuC communication,\nwe can also call xe_gt_mmio_init() to perform early setup of the\ngt->mmio which will make those GuC functions work again.", "A flaw was found in the Linux kernel. Improper initialization of the Graphics Translation (GT) Memory-Mapped Input/Output (MMIO) during early setup for Virtual Functions (VFs) can lead to a null pointer dereference. A local attacker with low privileges could exploit this by attempting to use Graphics micro-controller (GuC) functions, causing a system crash and resulting in a Denial of Service (DoS)." ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Out of support scope", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-38036\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-38036\nhttps://lore.kernel.org/linux-cve-announce/2025061826-CVE-2025-38036-0063@gregkh/T" ], "name" : "CVE-2025-38036", "mitigation" : { "value" : "To mitigate this issue, prevent the `xe` kernel module from loading. This can be achieved by creating a blacklist rule. Note that this may impact graphics functionality if Intel Xe graphics are in use.\nTo blacklist the module:\n1. Create a file `/etc/modprobe.d/blacklist-xe.conf` with the following content:\n```\nblacklist xe\ninstall xe /bin/true\n```\n2. Regenerate the initramfs:\n```bash\ndracut -f -v\n```\nor for systems using `mkinitrd`:\n```bash\nmkinitrd -f -v /boot/initramfs-$(uname -r).img $(uname -r)\n```\n3. Reboot the system for the changes to take effect.\nThis mitigation will prevent the `xe` module from loading at boot. If the module is already loaded, it will remain loaded until the next reboot.", "lang" : "en:us" }, "csaw" : false }