DEBIAN-CVE-2025-38722
In the Linux kernel, the following vulnerability has been resolved: habanalabs: fix UAF in export_dmabuf() As soon as we'd inserted a file reference into descriptor table, another thread could close it. That's fine for the case when all we are doing is returning that descriptor to userland (it's a race, but it's a userland race and there's nothing the kernel can do about it). However, if we follow fd_install() with any kind of access to objects that would be destroyed on close (be it the struct file itself or anything destroyed by its ->release()), we have a UAF. dma_buf_fd() is a combination of reserving a descriptor and fd_install(). habanalabs export_dmabuf() calls it and then proceeds to access the objects destroyed on close. In particular, it grabs an extra reference to another struct file that will be dropped as part of ->release() for ours; that "will be" is actually "might have already been". Fix that by reserving descriptor before anything else and do fd_install() only when everything had been set up. As a side benefit, we no longer have the failure exit with file already created, but reference to underlying file (as well as ->dmabuf_export_cnt, etc.) not grabbed yet; unlike dma_buf_fd(), fd_install() can't fail.
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:13 | linux | 0, 6.12.43-1, 6.12.41-1 |
| Debian:12 | linux | 6.3.4-1, 6.19.5-1, 6.19.6-1 |
| Debian:14 | linux | 0, 6.12.41-1, 6.12.73-1 |
Timeline
- Sep 4, 2025 CVE Published
- Apr 28, 2026 CVE Updated