CVE-2025-38731Double Free in Linux

CWE-415Double FreeCWE-763Release of Invalid Pointer or Reference5 documents5 sources
Severity
7.8HIGHNVD
EPSS
0.0%
top 94.20%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
LinuxLinux KernelDebian Linux
Timeline
PublishedSep 5

Description

In the Linux kernel, the following vulnerability has been resolved: drm/xe: Fix vm_bind_ioctl double free bug If the argument check during an array bind fails, the bind_ops are freed twice as seen below. Fix this by setting bind_ops to NULL after freeing. BUG: KASAN: double-free in xe_vm_bind_ioctl+0x1b2/0x21f0 [xe] Free of addr ffff88813bb9b800 by task xe_vm/14198 CPU: 5 UID: 0 PID: 14198 Comm: xe_vm Not tainted 6.16.0-xe-eudebug-cmanszew+ #520 PREEMPT(full) Hardware name: Intel Corporation

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages4 packages

NVDlinux/linux_kernel6.156.16.4+1
Debianlinux/linux_kernel< 6.16.5-1
CVEListV5linux/linuxb43e864af0d4e74636c0e1dee857ce3275a8482977a946bf1af0e8110ef6e243394217a17f9b7e33+2
debiandebian/linux< linux 6.16.5-1 (forky)

Patches

Patch: git.kernel.orgPatch: git.kernel.org

🔴Vulnerability Details

2
GHSA
GHSA-5hc5-4v2f-5h8m: In the Linux kernel, the following vulnerability has been resolved: drm/xe: Fix vm_bind_ioctl double free bug If the argument check during an array2025-09-05
OSV
CVE-2025-38731: In the Linux kernel, the following vulnerability has been resolved: drm/xe: Fix vm_bind_ioctl double free bug If the argument check during an array bi2025-09-05

📋Vendor Advisories

2
Red Hat
kernel: drm/xe: Fix vm_bind_ioctl double free bug2025-09-05
Debian
CVE-2025-38731: linux - In the Linux kernel, the following vulnerability has been resolved: drm/xe: Fix...2025
CVE-2025-38731 — Double Free in Linux | cvebase