Skip to main content

Linux CVE-2025-38436

MEDIUM
Improper Locking (CWE-667)
2025-07-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.0 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
Apr 18, 2026 - 09:25 vuln.today

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

drm/scheduler: signal scheduled fence when kill job

When an entity from application B is killed, drm_sched_entity_kill() removes all jobs belonging to that entity through drm_sched_entity_kill_jobs_work(). If application A's job depends on a scheduled fence from application B's job, and that fence is not properly signaled during the killing process, application A's dependency cannot be cleared.

This leads to application A hanging indefinitely while waiting for a dependency that will never be resolved. Fix this issue by ensuring that scheduled fences are properly signaled when an entity is killed, allowing dependent applications to continue execution.

AnalysisAI

Linux kernel DRM scheduler fails to signal scheduled fences when killing job entities, causing dependent applications to hang indefinitely waiting for unresolved dependencies. Authenticated local users can trigger this denial of service by terminating applications whose job dependencies are not properly cleared during entity kill operations. The vulnerability affects multiple Linux kernel versions and has been patched upstream.

Technical ContextAI

The vulnerability exists in the Linux kernel's Direct Rendering Manager (DRM) scheduler subsystem, specifically in the job entity lifecycle management. The DRM scheduler coordinates GPU job execution across multiple applications through fence mechanisms that track task dependencies. When drm_sched_entity_kill() terminates an entity (representing one application's GPU work), it invokes drm_sched_entity_kill_jobs_work() to remove all associated jobs. However, the vulnerability stems from inadequate fence signaling during this cleanup: if Application A's job has a scheduled fence dependency on Application B's job, and Application B's entity is killed without properly signaling its scheduled fences, Application A's job remains stuck waiting for a dependency signal that never arrives. This represents a classic CWE-667 (Improper Locking) scenario in concurrent subsystem design where resource cleanup in one execution context fails to notify dependent contexts.

RemediationAI

Update the Linux kernel to a version incorporating the upstream fix. The primary remediation is to apply kernel security updates from the stable tree branches; check your distribution's kernel update channel for patched versions corresponding to the commits referenced (471db2c2d4f, 8342127a8a6, aa382a8b6ed, aefd0a9356, c5734f9bab6). For systems unable to immediately patch, implement process isolation and resource limits: use cgroups and namespace isolation to prevent cross-application GPU job dependency chains (separate cgroups for unrelated applications), disable GPU sharing between untrusted applications where feasible, and implement application health monitoring and restart policies to mitigate hangs. Set aggressive application watchdog timeouts (e.g., cgroup memory.memsw.limit_in_bytes, systemd service restarts) so that hanging applications are automatically terminated and restarted rather than blocking system resources indefinitely. These compensating controls reduce availability impact but do not address the underlying vulnerability and may mask other issues causing legitimate long-running GPU workloads.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
Container suse/sl-micro/6.0/base-os-container:2.1.3-7.44 Container suse/sl-micro/6.1/base-os-container:2.2.1-5.27 Image SL-Micro Image SL-Micro-Azure Image SL-Micro-BYOS-Azure Image SL-Micro-BYOS-EC2 Image SL-Micro-BYOS-GCE Image SL-Micro-EC2 Image SLE-Micro Image SLE-Micro-Azure Image SLE-Micro-BYOS Image SLE-Micro-BYOS-Azure Image SLE-Micro-BYOS-EC2 Image SLE-Micro-BYOS-GCE Image SLE-Micro-EC2 Image SLE-Micro-GCE Image SUSE-Multi-Linux-Manager-Proxy-BYOS-Azure Image SUSE-Multi-Linux-Manager-Proxy-BYOS-EC2 Image SUSE-Multi-Linux-Manager-Proxy-BYOS-GCE Image SUSE-Multi-Linux-Manager-Server-Azure-llc Image SUSE-Multi-Linux-Manager-Server-Azure-ltd Image SUSE-Multi-Linux-Manager-Server-BYOS-Azure Image SUSE-Multi-Linux-Manager-Server-BYOS-EC2 Image SUSE-Multi-Linux-Manager-Server-BYOS-GCE Image SUSE-Multi-Linux-Manager-Server-EC2-llc Image SUSE-Multi-Linux-Manager-Server-EC2-ltd Affected
Container suse/sl-micro/6.0/kvm-os-container:2.1.3-6.67 Container suse/sl-micro/6.1/kvm-os-container:2.2.1-5.29 Affected
Container suse/sl-micro/6.0/rt-os-container:2.1.3-7.76 Container suse/sl-micro/6.1/rt-os-container:2.2.1-5.14 Affected
Image SLES-Azure-3P Image SLES-Azure-Basic Image SLES-Azure-Standard Image SLES-BYOS-Azure Image SLES-BYOS-EC2 Image SLES-BYOS-GCE Image SLES-CHOST-BYOS-Aliyun Image SLES-CHOST-BYOS-Azure Image SLES-CHOST-BYOS-EC2 Image SLES-CHOST-BYOS-GCE Image SLES-CHOST-BYOS-GDC Image SLES-CHOST-BYOS-SAP-CCloud Image SLES-EC2 Image SLES-GCE Image SLES-GCE-3P Image SLES-Hardened-BYOS-Azure Image SLES-Hardened-BYOS-EC2 Image SLES-Hardened-BYOS-GCE Image SLES-SAPCAL-Azure Image SLES-SAPCAL-EC2 Image SLES-SAPCAL-GCE Affected
Image SLES-SAP-Azure Image SLES-SAP-Azure-3P Image SLES-SAP-BYOS-Azure Image SLES-SAP-BYOS-EC2 Image SLES-SAP-BYOS-GCE Image SLES-SAP-GCE Image SLES-SAP-GCE-3P Affected

Share

CVE-2025-38436 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy