CVE-2025-38511 [Medium] | Security Vulnerability in Linux Kernel

In the Linux kernel, the following vulnerability has been resolved: drm/xe/pf: Clear all LMTT pages on alloc Our LMEM buffer objects are not cleared by default on alloc and during VF provisioning we only setup LMTT PTEs for the actually provisioned LMEM range. But beyond that valid range we might leave some stale data that could either point to some other VFs allocations or even to the PF pages. Explicitly clear all new LMTT page to avoid the risk that a malicious VF would try to exploit that gap. While around add asserts to catch any undesired PTE overwrites and low-level debug traces to track LMTT PT life-cycle. (cherry picked from commit 3fae6918a3e27cce20ded2551f863fb05d4bef8d)

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2025-08-16	—	0.02%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2025-08-16

—

0.02%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
5.5	3.1	MEDIUM	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H` Click to expand Attack vector (AV:L) They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:L) A normal user session is enough; they don’t have to be admin. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:N) Doesn’t really leak secrets in a meaningful way. Integrity (I:N) Data isn’t meaningfully altered or forged. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	1.8	3.6	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

5.5

3.1

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Click to expand

Attack vector (AV:L): They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L): A normal user session is enough; they don’t have to be admin.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N): Doesn’t really leak secrets in a meaningful way.
Integrity (I:N): Data isn’t meaningfully altered or forged.
Availability (A:H): Could take the service down hard or make it unusable for people who depend on it.

1.8

3.6

[email protected]

OS Trackers for CVE-2025-38511

vendor	priority	summary	link
`debian`	unimportant	CVE-2025-38511 unimportant priority: Debian including 1 source packages (linux), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5.	https://security-tracker.debian.org/tracker/CVE-2025-38511
`redhat`	medium	—	https://access.redhat.com/security/cve/CVE-2025-38511
`suse`	high	CVE-2025-38511 severity important: SUSE including 380 source package names (13.2-9.1:libsqlite3-0-3.49.1-1.1, 2.1.3-6.31:libsqlite3-0-3.49.1-1.1, …), 835 product×package rows across 122 product lines (Container suse/sl-micro/6.0/baremetal-os-container, Container suse/sl-micro/6.0/base-os-container, … (122 product lines)): Fixed 305, Known Not Affected 274, Known Affected 231, First Fixed 25.	https://www.suse.com/security/cve/CVE-2025-38511/
`ubuntu`	medium	CVE-2025-38511 medium priority: Ubuntu including 158 source packages (linux, linux-allwinner-5.19, …), 1414 status rows across 9 suites (bionic, focal, jammy, noble, plucky, questing, trusty, upstream, xenial): DNE 1017, ignored 161, released 133, not-affected 96, needed 3, needs-triage 2, pending 2.	https://ubuntu.com/security/CVE-2025-38511

Affected software / configurations for CVE-2025-38511

Vendor	Product	Version	Raw CPE
linux	linux_kernel	>= 6.8, < 6.12.39	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 6.13, < 6.15.7	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	6.16	cpe:2.3:o:linux:linux_kernel:6.16:rc1::::::
linux	linux_kernel	6.16	cpe:2.3:o:linux:linux_kernel:6.16:rc2::::::
linux	linux_kernel	6.16	cpe:2.3:o:linux:linux_kernel:6.16:rc3::::::
linux	linux_kernel	6.16	cpe:2.3:o:linux:linux_kernel:6.16:rc4::::::
linux	linux_kernel	6.16	cpe:2.3:o:linux:linux_kernel:6.16:rc5::::::

References for CVE-2025-38511

URL	Tags
https://git.kernel.org/stable/c/5d21892c2e15b6a27f8bc907693eca7c6b7cc269	Patch
https://git.kernel.org/stable/c/705a412a367f383430fa34bada387af2e52eb043	Patch
https://git.kernel.org/stable/c/ff4b8c9ade1b82979fdd01e6f45b60f92eed26d8	Patch

URL

CVE-2025-38511 | drm/xe/pf: Clear all LMTT pages on alloc

Exploit prediction scoring system (EPSS) score for CVE-2025-38511

Common vulnerability scoring system (CVSS) metrics for CVE-2025-38511

Weakness enumeration for CVE-2025-38511

OS Trackers for CVE-2025-38511

Affected software / configurations for CVE-2025-38511

References for CVE-2025-38511