Oops It's a kernel stack use-after-free: Exploiting Nvidia's GPU Linux drivers

Summary

This article details two bugs discovered in the NVIDIA Linux Open GPU Kernel Modules and demonstrates how they can be exploited. The bugs can be triggered by an attacker controlling a local unprivileged process. Their security implications were confirmed via a proof of concept that achieves kernel read and write primitives. The NVIDIA Open source driver Back in 2022, NVIDIA started distributing the Linux Open GPU Kernel Modules. Since 2024, using these modules is officially "the right move" for both consumer and server hardware. The driver provides multiple kernel modules, the bugs being found in nvidia.ko and nvidia-uvm.ko. They expose ioctls on device files, most of them being accessible to unprivileged users. These ioctls are meant to be used by NVIDIA's proprietary userland binaries and libraries. However, using the header files provided in the kernel modules repository as a basis, it's possible to make direct ioctl calls. While manually probing the attack surface related to memory allocation and management we found two vulnerabilities. They were reported to NVIDIA and the vendor issued fixes in their NVIDIA GPU Display Drivers update of October 2025 Bug #1: Kernel null-pointer dereference in nvidia-uvm module (CVE-2025-23300) The UVM_MAP_EXTERNAL_ALLOCATION ioctl of the nvidia-uvm module allows mapping memory allocated from the main nvidia module into the Unified Virtual Memory framework. This includes memory allocations of type NV01_MEMORY_DEVICELESS which are not associated with any device and therefore have the pGpu field of their corresponding MEMORY_DESCRIPTOR structure set to null. The ioctl call leads to an unchecked use of this field, resulting in a kernel null-pointer dereference. An example stack trace is provided below: // linux 6.11.0-24 + nvidia 570.86.15 from Ubuntu Noble osIovaMap+0x11e/0x630 [nvidia] iovaspaceAcquireMapping_IMPL+0x232/0x470 [nvidia] memdescMapIommu+0x90/0x300 [nvidia] dupMemory+0x2d9/0x830 [nvidia] nvUvmInterfaceDupMemory+0x44/0...