CVE-2025-38731

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-38731
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38731.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-38731
Downstream
Related
Published
2025-09-05T17:20:30.618Z
Modified
2026-02-06T11:58:44.472641Z
Summary
drm/xe: Fix vm_bind_ioctl double free bug
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/xe: Fix vmbindioctl double free bug

If the argument check during an array bind fails, the bindops are freed twice as seen below. Fix this by setting bindops to NULL after freeing.

================================================================== BUG: KASAN: double-free in xevmbindioctl+0x1b2/0x21f0 [xe] Free of addr ffff88813bb9b800 by task xevm/14198

CPU: 5 UID: 0 PID: 14198 Comm: xevm Not tainted 6.16.0-xe-eudebug-cmanszew+ #520 PREEMPT(full) Hardware name: Intel Corporation Alder Lake Client Platform/AlderLake-P DDR5 RVP, BIOS ADLPFWI1.R00.2411.A02.2110081023 10/08/2021 Call Trace: <TASK> dumpstacklvl+0x82/0xd0 printreport+0xcb/0x610 ? _virtaddrvalid+0x19a/0x300 ? xevmbindioctl+0x1b2/0x21f0 [xe] kasanreportinvalidfree+0xc8/0xf0 ? xevmbindioctl+0x1b2/0x21f0 [xe] ? xevmbindioctl+0x1b2/0x21f0 [xe] checkslaballocation+0x102/0x130 kfree+0x10d/0x440 ? shouldfailex+0x57/0x2f0 ? xevmbindioctl+0x1b2/0x21f0 [xe] xevmbindioctl+0x1b2/0x21f0 [xe] ? _pfxxevmbindioctl+0x10/0x10 [xe] ? _lockacquire+0xab9/0x27f0 ? lockacquire+0x165/0x300 ? drmdeventer+0x53/0xe0 [drm] ? findheldlock+0x2b/0x80 ? drmdevexit+0x30/0x50 [drm] ? drmioctlkernel+0x128/0x1c0 [drm] drmioctlkernel+0x128/0x1c0 [drm] ? _pfxxevmbindioctl+0x10/0x10 [xe] ? findheldlock+0x2b/0x80 ? _pfxdrmioctlkernel+0x10/0x10 [drm] ? shouldfailex+0x57/0x2f0 ? _pfxxevmbindioctl+0x10/0x10 [xe] drmioctl+0x352/0x620 [drm] ? _pfxdrmioctl+0x10/0x10 [drm] ? _pfxrpmresume+0x10/0x10 ? dorawspinlock+0x11a/0x1b0 ? findheldlock+0x2b/0x80 ? _pmruntimeresume+0x61/0xc0 ? rcuiswatching+0x20/0x50 ? traceirqenable.constprop.0+0xac/0xe0 xedrmioctl+0x91/0xc0 [xe] _x64sysioctl+0xb2/0x100 ? rcuiswatching+0x20/0x50 dosyscall64+0x68/0x2e0 entrySYSCALL64after_hwframe+0x76/0x7e RIP: 0033:0x7fa9acb24ded

(cherry picked from commit a01b704527c28a2fd43a17a85f8996b75ec8492a)

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38731.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
b43e864af0d4e74636c0e1dee857ce3275a84829
Fixed
77a946bf1af0e8110ef6e243394217a17f9b7e33
Fixed
111fb43a557726079a67ce3ab51f602ddbf7097e

Affected versions

v6.*
v6.14
v6.14-rc5
v6.14-rc6
v6.14-rc7
v6.15
v6.15-rc1
v6.15-rc2
v6.15-rc3
v6.15-rc4
v6.15-rc5
v6.15-rc6
v6.15-rc7
v6.16
v6.16-rc1
v6.16-rc2
v6.16-rc3
v6.16-rc4
v6.16-rc5
v6.16-rc6
v6.16-rc7
v6.16.1
v6.16.2
v6.16.3
v6.17-rc1
v6.17-rc2

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38731.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.15.0
Fixed
6.16.4

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38731.json"