CVE-2025-68749

Description

In the Linux kernel, the following vulnerability has been resolved: accel/ivpu: Fix race condition when unbinding BOs Fix 'Memory manager not clean during takedown' warning that occurs when ivpu_gem_bo_free() removes the BO from the BOs list before it gets unmapped. Then file_priv_unbind() triggers a warning in drm_mm_takedown() during context teardown. Protect the unmapping sequence with bo_list_lock to ensure the BO is always fully unmapped when removed from the list. This ensures the BO is either fully unmapped at context teardown time or present on the list and unmapped by file_priv_unbind().

CVSS Details

CVSS Score

4.7

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE

Linux Kernel < 5.15.x (with IVPU driver)

Linux Kernel < 5.10.x (with IVPU driver)

Linux Kernel < 5.4.x (with IVPU driver)

Specific commits: 00812636df370bedf4e44a0c81b86ea96bca8628

Specific commits: 0328bb097bef05a796217c54b3d651cc3782827c

Specific commits: d71333ffdd3707d84cfb95acfaf8ba892adc066b

Specific commits: fb16493ebd8f171bcf0772262619618a131f30f7

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-68749 PoC - Race condition in Linux kernel IVPU driver
// This PoC demonstrates the race condition in BO unbind sequence
// Note: Requires local access and IVPU hardware

#include <stdio.h>
#include <stdlib.h>
#include <pthread.h>
#include <unistd.h>

// Simulated kernel structures (for demonstration)
struct ivpu_file_priv {
    void *bo_list;
    void *context;
};

struct ivpu_gem_bo {
    int mapped;
    struct ivpu_gem_bo *next;
};

// Vulnerable function - BO freed before unmapping completes
void *race_thread_unsafe(void *arg) {
    struct ivpu_file_priv *priv = (struct ivpu_file_priv *)arg;
    
    // Trigger BO allocation and mapping
    struct ivpu_gem_bo *bo = allocate_bo();
    if (!bo) return NULL;
    
    // Add to list without proper locking
    bo->next = priv->bo_list;
    priv->bo_list = bo;
    
    // Map the BO
    map_bo(bo);
    
    // VULNERABLE: Remove from list before unmapping
    remove_from_list(bo);
    
    // Unmap happens after removal - race condition window
    unmap_bo(bo);
    
    return NULL;
}

// Safe function - with proper locking
void *race_thread_safe(void *arg) {
    struct ivpu_file_priv *priv = (struct ivpu_file_priv *)arg;
    
    struct ivpu_gem_bo *bo = allocate_bo();
    if (!bo) return NULL;
    
    // FIXED: Use lock to protect entire unbind sequence
    acquire_lock(&priv->bo_list_lock);
    
    bo->next = priv->bo_list;
    priv->bo_list = bo;
    map_bo(bo);
    remove_from_list(bo);
    unmap_bo(bo);
    
    release_lock(&priv->bo_list_lock);
    
    return NULL;
}

int main() {
    printf("CVE-2025-68749 Race Condition PoC\n");
    printf("Target: Linux Kernel IVPU Driver\n");
    printf("Vulnerability: BO freed before unmapping completes\n");
    printf("Impact: Local DoS via kernel warning\n");
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-68749
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-68749
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-68749/
[4] VulDB https://vuldb.com/cve/CVE-2025-68749
[5] https://git.kernel.org/stable/c/00812636df370bedf4e44a0c81b86ea96bca8628
[6] https://git.kernel.org/stable/c/0328bb097bef05a796217c54b3d651cc3782827c
[7] https://git.kernel.org/stable/c/d71333ffdd3707d84cfb95acfaf8ba892adc066b
[8] https://git.kernel.org/stable/c/fb16493ebd8f171bcf0772262619618a131f30f7

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-68749", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-12-24T13:16:29.830", "lastModified": "2026-02-26T18:44:06.247", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/ivpu: Fix race condition when unbinding BOs\n\nFix 'Memory manager not clean during takedown' warning that occurs\nwhen ivpu_gem_bo_free() removes the BO from the BOs list before it\ngets unmapped. Then file_priv_unbind() triggers a warning in\ndrm_mm_takedown() during context teardown.\n\nProtect the unmapping sequence with bo_list_lock to ensure the BO is\nalways fully unmapped when removed from the list. This ensures the BO\nis either fully unmapped at context teardown time or present on the\nlist and unmapped by file_priv_unbind()."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 4.7, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.0, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-362"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.8", "versionEndExcluding": "6.12.68", "matchCriteriaId": "BDF8DE38-8295-4104-AC61-A15E697A9B3C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.17.13", "matchCriteriaId": "8E97BE39-8D15-4D59-822A-602B5F5A990B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18", "versionEndExcluding": "6.18.2", "matchCriteriaId": "5ACE912B-1ACA-466A-BB6D-22DF82E58988"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/00812636df370bedf4e44a0c81b86ea96bca8628", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/0328bb097bef05a796217c54b3d651cc3782827c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/d71333ffdd3707d84cfb95acfaf8ba892adc066b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/fb16493ebd8f171bcf0772262619618a131f30f7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}