CVE-2025-38690
📋 TL;DR
A stack overflow vulnerability in the Linux kernel's Xe graphics driver migration code allows local attackers to trigger infinite recursion, potentially causing kernel panics and denial of service. This affects systems running vulnerable Linux kernel versions with Intel Xe graphics driver enabled. The vulnerability requires local access to exploit.
💻 Affected Systems
- Linux kernel with Intel Xe graphics driver (drm/xe)
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to system crash and denial of service, potentially allowing local privilege escalation if combined with other vulnerabilities.
Likely Case
Local denial of service through kernel panic when specific graphics operations are triggered via eudebug or similar tools.
If Mitigated
No impact if patched or if Xe graphics driver is not loaded/used.
🎯 Exploit Status
Exploitation requires local access and triggering specific graphics migration operations. The eudebug tool is mentioned as a trigger path.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Linux kernel with commit 38b34e928a08ba594c4bbf7118aa3aadacd62fff or later
Vendor Advisory: https://git.kernel.org/stable/c/89f511c024879c5812cc0c010a6663b5e49950f3
Restart Required: No
Instructions:
1. Update Linux kernel to version containing the fix commit. 2. For distributions: Use package manager to update kernel package. 3. Rebuild kernel if using custom kernel. 4. No reboot required for live kernel update if using kpatch/kGraft, otherwise reboot to load new kernel.
🔧 Temporary Workarounds
Disable Xe graphics driver
allPrevent loading of the vulnerable drm/xe driver module
echo 'blacklist xe' >> /etc/modprobe.d/blacklist.conf
rmmod xe
Restrict eudebug access
allLimit access to eudebug tool that can trigger the vulnerability
chmod 700 /path/to/eudebug
setfacl -m u:root:rwx /path/to/eudebug
🧯 If You Can't Patch
- Implement strict access controls to prevent unauthorized local users from executing graphics operations
- Monitor system logs for kernel panic events related to Xe driver or eudebug usage
🔍 How to Verify
Check if Vulnerable:
Check if Xe driver is loaded: lsmod | grep xe. Check kernel version: uname -r and compare with patched versions.Check Version:
uname -rVerify Fix Applied:
Verify kernel contains fix commit: grep -r '38b34e928a08ba594c4bbf7118aa3aadacd62fff' /usr/src/linux/ or check kernel changelog.📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages in /var/log/messages or dmesg
- Stack overflow errors related to Xe driver
- eudebug process execution logs
Network Indicators:
- None - local vulnerability only
SIEM Query:
event_source="kernel" AND (message="panic" OR message="Oops") AND (process="eudebug" OR module="xe")