Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71138

CVE-2025-71138: Linux Kernel Privilege Escalation Flaw

CVE-2025-71138 is a privilege escalation vulnerability in the Linux Kernel affecting the DRM/MSM/DPU subsystem due to a missing NULL pointer check. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2025-71138 Overview

CVE-2025-71138 is a NULL pointer dereference vulnerability in the Linux kernel's Direct Rendering Manager (DRM) subsystem. The flaw resides in the Qualcomm MSM Display Processing Unit (DPU) driver, specifically within the writeback encoder path dpu_encoder_phys_wb_setup_ctl(). A required NULL check on the pingpong interface is performed in nearly every code path, but one location omits it. The defect maps to [CWE-476: NULL Pointer Dereference] and affects multiple Linux kernel branches up to 6.19-rc8. Exploitation requires local access with low privileges and can trigger a kernel crash, resulting in denial of service on affected systems.

Critical Impact

A local user on a system using the Qualcomm MSM DPU display driver can trigger a kernel NULL pointer dereference, causing a system crash and high availability impact.

Affected Products

  • Linux kernel 5.19 (release)
  • Linux kernel 6.19-rc1 through 6.19-rc8
  • Systems using the drm/msm/dpu Qualcomm display driver

Discovery Timeline

  • 2026-01-14 - CVE-2025-71138 published to NVD
  • 2026-03-25 - Last updated in NVD database

Technical Details for CVE-2025-71138

Vulnerability Analysis

The vulnerability lives in the Linux kernel DRM subsystem under drivers/gpu/drm/msm/disp/dpu1/. The Qualcomm MSM DPU driver coordinates display pipelines through a series of hardware blocks, including writeback (WB) encoders and pingpong (PP) interfaces. The function dpu_encoder_phys_wb_setup_ctl() configures the control path that binds these blocks together.

Throughout the function, the driver validates the pingpong interface pointer phys_enc->hw_pp before dereferencing it. The maintainer commit message states that the check is performed "almost always" in this routine, except in a single code path where the validation was missed. When the writeback encoder is invoked while hw_pp is NULL, the kernel dereferences an invalid pointer and oopses.

The fix adds the missing NULL guard and refactors the surrounding code to use local variables instead of repeated phys_enc->* member access. The patch is referenced in upstream commits 35ea3282, 471baae7, 678d1c86, and 88733a0b.

Root Cause

The root cause is an inconsistent defensive programming pattern. The driver author guards hw_pp dereferences with NULL checks in most branches of dpu_encoder_phys_wb_setup_ctl(), but one branch directly accesses members of the pingpong structure without first verifying the pointer. Under specific display configurations where the writeback encoder runs without an attached pingpong block, the unchecked access dereferences NULL.

Attack Vector

The attack vector is local. A user with low privileges who can interact with the DRM device nodes (typically /dev/dri/card* and /dev/dri/renderD*) on a system using the Qualcomm MSM DPU driver can trigger the vulnerable code path through display configuration ioctls. Successful triggering crashes the kernel and renders the system unavailable until reboot. The vulnerability does not expose data confidentiality or integrity, only availability.

No public proof-of-concept exists, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. The EPSS data places exploitation probability in the lowest range.

Detection Methods for CVE-2025-71138

Indicators of Compromise

  • Kernel oops or panic messages referencing dpu_encoder_phys_wb_setup_ctl in dmesg or /var/log/kern.log
  • Unexpected reboots on Qualcomm Snapdragon hardware running affected kernels
  • BUG messages containing NULL pointer dereference with stack traces pointing into drivers/gpu/drm/msm/disp/dpu1/

Detection Strategies

  • Inventory running kernel versions across the fleet and flag hosts running Linux 5.19 or 6.19-rc series builds with the MSM DPU driver loaded
  • Parse dmesg and persistent kernel logs for oops signatures that include the dpu_encoder_phys_wb symbol
  • Correlate display subsystem crashes with local user sessions or process activity that opened DRM device nodes

Monitoring Recommendations

  • Forward kernel logs to a centralized logging or SIEM platform and alert on Oops: or BUG: unable to handle patterns referencing the MSM DPU stack
  • Track loaded kernel modules and identify devices where msm is in use to scope exposure
  • Monitor sudden device reboots on ARM64 endpoints and developer boards running mainline kernel candidates

How to Mitigate CVE-2025-71138

Immediate Actions Required

  • Apply the upstream stable kernel patches 35ea3282, 471baae7, 678d1c86, or 88733a0b corresponding to your kernel branch
  • Rebuild and deploy the patched kernel across affected Qualcomm Snapdragon-based Linux systems
  • Restrict access to DRM device nodes to trusted users on multi-user systems until patches are applied

Patch Information

The Linux kernel maintainers committed the fix to multiple stable branches. Reference the upstream commits at Kernel Patch Commit 35ea328, Kernel Patch Commit 471baa, Kernel Patch Commit 678d1c, and Kernel Patch Commit 88733a. Consume the fix through your distribution's stable kernel update channel.

Workarounds

  • Restrict permissions on /dev/dri/card* and /dev/dri/renderD* to limit which local users can invoke DRM ioctls
  • Where the writeback path is not required, avoid loading display configurations that exercise the MSM DPU writeback encoder
  • On non-production systems, downgrade to a kernel branch that predates the affected code paths until patches can be applied
bash
# Verify kernel version and check whether the msm DPU driver is loaded
uname -r
lsmod | grep -i msm

# After deploying the patched kernel, confirm the fix is present in the source tree
git -C /usr/src/linux log --oneline | grep -E '35ea3282|471baae7|678d1c86|88733a0b'

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.