CVE-2025-71307 Linux CVE debrief

Who should care

Organizations running Linux systems with ARM Mali Panthor GPUs, particularly those using GPU passthrough, hot-plug configurations, or virtualized GPU environments where device removal may occur. Kernel maintainers and distributions packaging drm/panthor driver updates.

Technical summary

The drm/panthor driver in the Linux kernel contains a NULL pointer dereference vulnerability in the `panthor_fw_unplug()` function. The driver attempts to halt the MCU and wait for halt completion during GPU unplug operations, but this assumes the firmware is loaded and initialized. When the firmware is not initialized, the code dereferences a NULL pointer. The vulnerability is local and requires physical or logical access to trigger GPU removal. The fix removes the MCU halt and wait procedures from the unplug path, making it safe to disable the MCU without requiring it to be in a haltable state. This affects systems with ARM Mali Panthor GPUs.

Defensive priority

medium

Recommended defensive actions

• Apply kernel updates containing the drm/panthor fix for CVE-2025-71307 when available from your Linux distribution
• Monitor stable kernel releases from kernel.org for the referenced commits
• For systems with Mali Panthor GPUs, plan maintenance windows to update kernel before physical GPU hot-unplug operations
• Review system logs for GPU-related errors that may indicate trigger conditions
• If running custom kernels, cherry-pick the referenced stable commits to prevent NULL pointer dereference during device removal

Evidence notes

The vulnerability description and resolution are sourced from the official CVE record published 2026-05-27. The fix involves removing MCU halt procedures from `panthor_fw_unplug()` to prevent NULL pointer dereference when firmware is not initialized. Two kernel.org stable tree commits are referenced as resolution sources.

Official resources