{ "threat_severity" : "Low", "public_date" : "2025-12-24T00:00:00Z", "bugzilla" : { "description" : "kernel: Kernel: NULL pointer dereference in Intel GVT-g debugfs during device removal", "id" : "2425180", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2425180" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-476", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\ndrm/i915/gvt: fix gvt debugfs destroy\nWhen gvt debug fs is destroyed, need to have a sane check if drm\nminor's debugfs root is still available or not, otherwise in case like\ndevice remove through unbinding, drm minor's debugfs directory has\nalready been removed, then intel_gvt_debugfs_clean() would act upon\ndangling pointer like below oops.\ni915 0000:00:02.0: Direct firmware load for i915/gvt/vid_0x8086_did_0x1926_rid_0x0a.golden_hw_state failed with error -2\ni915 0000:00:02.0: MDEV: Registered\nConsole: switching to colour dummy device 80x25\ni915 0000:00:02.0: MDEV: Unregistering\nBUG: kernel NULL pointer dereference, address: 00000000000000a0\nPGD 0 P4D 0\nOops: 0002 [#1] PREEMPT SMP PTI\nCPU: 2 PID: 2486 Comm: gfx-unbind.sh Tainted: G I 6.1.0-rc8+ #15\nHardware name: Dell Inc. XPS 13 9350/0JXC1H, BIOS 1.13.0 02/10/2020\nRIP: 0010:down_write+0x1f/0x90\nCode: 1d ff ff 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 53 48 89 fb e8 62 c0 ff ff bf 01 00 00 00 e8 28 5e 31 ff 31 c0 ba 01 00 00 00 48 0f b1 13 75 33 65 48 8b 04 25 c0 bd 01 00 48 89 43 08 bf 01\nRSP: 0018:ffff9eb3036ffcc8 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: 00000000000000a0 RCX: ffffff8100000000\nRDX: 0000000000000001 RSI: 0000000000000064 RDI: ffffffffa48787a8\nRBP: ffff9eb3036ffd30 R08: ffffeb1fc45a0608 R09: ffffeb1fc45a05c0\nR10: 0000000000000002 R11: 0000000000000000 R12: 0000000000000000\nR13: ffff91acc33fa328 R14: ffff91acc033f080 R15: ffff91acced533e0\nFS: 00007f6947bba740(0000) GS:ffff91ae36d00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00000000000000a0 CR3: 00000001133a2002 CR4: 00000000003706e0\nCall Trace:\n\nsimple_recursive_removal+0x9f/0x2a0\n? start_creating.part.0+0x120/0x120\n? _raw_spin_lock+0x13/0x40\ndebugfs_remove+0x40/0x60\nintel_gvt_debugfs_clean+0x15/0x30 [kvmgt]\nintel_gvt_clean_device+0x49/0xe0 [kvmgt]\nintel_gvt_driver_remove+0x2f/0xb0\ni915_driver_remove+0xa4/0xf0\ni915_pci_remove+0x1a/0x30\npci_device_remove+0x33/0xa0\ndevice_release_driver_internal+0x1b2/0x230\nunbind_store+0xe0/0x110\nkernfs_fop_write_iter+0x11b/0x1f0\nvfs_write+0x203/0x3d0\nksys_write+0x63/0xe0\ndo_syscall_64+0x37/0x90\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7f6947cb5190\nCode: 40 00 48 8b 15 71 9c 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 80 3d 51 24 0e 00 00 74 17 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 48 83 ec 28 48 89\nRSP: 002b:00007ffcbac45a28 EFLAGS: 00000202 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 000000000000000d RCX: 00007f6947cb5190\nRDX: 000000000000000d RSI: 0000555e35c866a0 RDI: 0000000000000001\nRBP: 0000555e35c866a0 R08: 0000000000000002 R09: 0000555e358cb97c\nR10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000001\nR13: 000000000000000d R14: 0000000000000000 R15: 0000555e358cb8e0\n\nModules linked in: kvmgt\nCR2: 00000000000000a0\n---[ end trace 0000000000000000 ]---", "A flaw was found in the Linux kernel's Intel GVT-g (Graphics Virtualization Technology) debugfs component. When a device is removed through unbinding, the `intel_gvt_debugfs_clean()` function may attempt to access a debugfs root that has already been deallocated, leading to a NULL pointer dereference. A local attacker could exploit this vulnerability to cause a kernel crash, resulting in a Denial of Service (DoS)." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2023-11-14T00:00:00Z", "advisory" : "RHSA-2023:7077", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-513.5.1.el8_9" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-11-07T00:00:00Z", "advisory" : "RHSA-2023:6583", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-362.8.1.el9_3" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-11-07T00:00:00Z", "advisory" : "RHSA-2023:6583", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-362.8.1.el9_3" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-54098\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-54098\nhttps://lore.kernel.org/linux-cve-announce/2025122409-CVE-2023-54098-d7c9@gregkh/T" ], "name" : "CVE-2023-54098", "csaw" : false }