CVE-2025-38189
📋 TL;DR
A NULL pointer dereference vulnerability in the Linux kernel's v3d graphics driver allows local attackers to cause a kernel panic (denial of service) when a file descriptor is closed before GPU jobs complete. This affects systems using the v3d driver, particularly Raspberry Pi devices with Broadcom VideoCore VI GPUs. The vulnerability requires local access to trigger.
💻 Affected Systems
- Linux kernel with v3d driver
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to system crash and denial of service, potentially causing data loss or service disruption.
Likely Case
Local denial of service through kernel panic when malicious users close file descriptors before GPU job completion.
If Mitigated
Minimal impact with proper access controls limiting local user privileges.
🎯 Exploit Status
Exploitation requires local access and ability to create/close GPU file descriptors. No authentication bypass needed beyond local access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in kernel commits 4f4701489d0f, c88678400093, e1bc3a13bd77
Vendor Advisory: https://git.kernel.org/stable/c/4f4701489d0f768a232b10d281491184f34bacf0
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing the fix commits. 2. For Raspberry Pi OS: Update kernel package via apt. 3. For other distributions: Update to latest kernel from vendor repositories. 4. Reboot system after update.
🔧 Temporary Workarounds
Disable v3d module
linuxPrevent loading of vulnerable v3d driver module
echo 'blacklist v3d' >> /etc/modprobe.d/blacklist-v3d.conf
update-initramfs -u
reboot
Restrict local user access
linuxLimit which users can access GPU devices
chmod 600 /dev/dri/renderD128
setfacl -m u:username:rw /dev/dri/renderD128
🧯 If You Can't Patch
- Restrict local user access to prevent untrusted users from triggering the vulnerability
- Monitor kernel logs for Oops messages related to v3d_job_update_stats
🔍 How to Verify
Check if Vulnerable:
Check if v3d module is loaded: lsmod | grep v3d. Check kernel version: uname -r and compare with patched versions.Check Version:
uname -rVerify Fix Applied:
Verify kernel version includes fix commits. Check dmesg for absence of v3d_job_update_stats Oops messages after testing.📡 Detection & Monitoring
Log Indicators:
- Kernel Oops messages mentioning v3d_job_update_stats
- Kernel panic logs with v3d module in call trace
- dmesg entries with 'Unable to handle kernel NULL pointer dereference' in v3d context
Network Indicators:
- None - local vulnerability only
SIEM Query:
source="kernel" AND ("v3d_job_update_stats" OR "v3d: Oops" OR "NULL pointer dereference" AND "v3d")