Skip to main content

Linux Kernel EUVDEUVD-2025-210057

| CVE-2025-71314 MEDIUM
2026-06-03 Linux GHSA-7rv6-jm8q-x9p7
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 09, 2026 - 22:46 vuln.today
CVSS changed
Jun 09, 2026 - 20:37 NVD
5.5 (MEDIUM)
Patch available
Jun 03, 2026 - 19:01 EUVD
CVE Published
Jun 03, 2026 - 15:49 nvd
MEDIUM 5.5
CVE Published
Jun 03, 2026 - 15:49 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

drm/panthor: Recover from panthor_gpu_flush_caches() failures

We have seen a few cases where the whole memory subsystem is blocked and flush operations never complete. When that happens, we want to:

  • schedule a reset, so we can recover from this situation
  • in the reset path, we need to reset the pending_reqs so we can send

new commands after the reset

  • if more panthor_gpu_flush_caches() operations are queued after

the timeout, we skip them and return -EIO directly to avoid needless waits (the memory block won't miraculously work again)

Note that we drop the WARN_ON()s because these hangs can be triggered with buggy GPU jobs created by the UMD, and there's no way we can prevent it. We do keep the error messages though.

v2:

  • New patch

v3:

  • Collect R-b
  • Explicitly mention the fact we dropped the WARN_ON()s in the commit

message

v4:

  • No changes

AnalysisAI

Denial of service in the Linux kernel's DRM Panthor GPU driver allows a local authenticated user to trigger an unrecoverable system hang via a blocked GPU memory subsystem. Specifically, when panthor_gpu_flush_caches() times out due to a blocked memory subsystem - a condition inducible through buggy GPU jobs submitted by user-mode drivers (UMD) - the driver previously had no recovery path, causing indefinite waits and system unavailability. The fix introduces timeout-aware reset scheduling and immediate -EIO short-circuiting for queued flush operations after a failure, but until patched, the condition is exploitable by any local user with access to the GPU device. No public exploit code exists and EPSS is extremely low (0.02%), consistent with a niche hardware-specific local DoS.

Technical ContextAI

The Panthor driver (drivers/gpu/drm/panthor/) is Linux's DRM subsystem driver for ARM's newer Panthor GPU IP (found in SoCs such as Rockchip RK3588 and similar ARM platforms). The panthor_gpu_flush_caches() function is responsible for issuing cache flush commands to the GPU memory subsystem and waiting for completion. The vulnerability is a missing error-recovery path: when the GPU memory subsystem deadlocks or hangs, the flush operation never completes, the driver does not schedule a GPU reset, and subsequent queued flush operations also block. The CPE strings (cpe:2.3:a:linux:linux:*) confirm the scope is the upstream Linux kernel. Although CWE is listed as N/A by NVD, the root cause class most closely maps to CWE-400 (Uncontrolled Resource Consumption) or CWE-835 (Loop with Unreachable Exit Condition), given the indefinite wait without a timeout-triggered recovery path. The CVSS vector (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) confirms the impact is availability-only with no confidentiality or integrity consequence.

RemediationAI

The primary fix is to upgrade to a patched kernel version: 6.12.75 or later for the 6.12 stable branch, 6.18.14 or later for the 6.18 branch, 6.19.4 or later for the 6.19 branch, or 7.0 for mainline. The upstream fix commits are available directly on kernel.org stable trees at https://git.kernel.org/stable/c/8ec4f1b14a6147db07d6e51aa1d6bcc799649847 (6.12 branch), https://git.kernel.org/stable/c/57753f2c64c033a21a7400b3a2192db1cd6c890e (6.18 branch), https://git.kernel.org/stable/c/2c899c6026fc9d39286735b30c4d8550d4ea075b (6.19 branch), and https://git.kernel.org/stable/c/3c0a60195b37af83bbbaf223cd3a78945bace49e (mainline). If patching is not immediately possible, the most effective compensating control is restricting unprivileged access to the Panthor GPU device node (typically /dev/dri/renderD*) using udev rules or cgroup device controller policies - this prevents untrusted local users from submitting GPU jobs entirely, with the trade-off of disabling GPU acceleration for those users. Disabling the panthor kernel module (modprobe -r panthor) fully mitigates the issue but removes all Panthor GPU functionality, which may be acceptable on headless servers where the GPU is unused.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected

Share

EUVD-2025-210057 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy