CVE-2025-37951: 
Linux Kernel vulnerability analysis and mitigation

A memory leak vulnerability (CVE-2025-37951) was discovered in the Linux kernel's DRM V3D driver, disclosed on May 20, 2025. The vulnerability affects the handling of CL/CSD jobs in the GPU timeout mechanism (NVD, Wiz).

The vulnerability occurs when handling GPU job timeouts in the DRM V3D driver. When timedoutjob() is called, it removes the job from the pending list. If the GPU shows progress since the last timeout, the reset is skipped and the timer is rearmed, but the job isn't properly returned to the pending list. This implementation flaw prevents the job from being automatically freed through freejob() when it completes. The vulnerability has received a CVSS 3.1 score of 7.0 with the vector string AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (Red Hat).

The primary impact of this vulnerability is a memory leak in the Linux kernel. When affected jobs complete after a timeout, they aren't properly freed, leading to gradual memory consumption that could potentially impact system stability over time (Wiz).

The vulnerability has been resolved by ensuring that jobs are properly added back to the pending list when the reset is skipped. This fix is similar to the approach taken in commit 704d3d60fec4 for the Etnaviv driver. The fix has been included in Linux kernel version 6.1.140-1 for Debian systems (Debian).