Oops It's a kernel stack use-after-free: Exploiting Nvidia's GPU Linux drivers
a day ago
- #NVIDIA
- #use-after-free
- #kernel-exploitation
- Two vulnerabilities in NVIDIA Linux Open GPU Kernel Modules (CVE-2025-23280 and CVE-2025-23300) allow local unprivileged attackers to achieve kernel read/write primitives.
- Bug #1 (CVE-2025-23300) is a kernel null-pointer dereference in the nvidia-uvm module when handling UVM_MAP_EXTERNAL_ALLOCATION ioctl calls with deviceless memory.
- Bug #2 (CVE-2025-23280) is a kernel use-after-free in threadStateInit()/threadStateFree() functions when a kernel oops occurs between calls, leaving a freed stack pointer in a global tree.
- Exploitation involves shaping the vmalloc area to control the UAF, leaking kernel addresses via tree manipulation, and achieving arbitrary writes through red-black tree rotations.
- Final escalation involves corrupting a file pointer in the kernel stack to gain control of a struct file, bypassing KASLR, and using function pointers to achieve root privileges.
- NVIDIA released fixes in October 2025 after coordinated disclosure, with initial reporting on June 18, 2025 and public disclosure on October 14, 2025.