CVE-2025-38227
published 2025-07-04CVE-2025-38227: In the Linux kernel, the following vulnerability has been resolved: media: vidtv: Terminating the subsequent process of initialization failure syzbot reported…
high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
In the Linux kernel, the following vulnerability has been resolved:
media: vidtv: Terminating the subsequent process of initialization failure
syzbot reported a slab-use-after-free Read in vidtv_mux_init. [1]
After PSI initialization fails, the si member is accessed again, resulting
in this uaf.
After si initialization fails, the subsequent process needs to be exited.
[1]
BUG: KASAN: slab-use-after-free in vidtv_mux_pid_ctx_init drivers/media/test-drivers/vidtv/vidtv_mux.c:78 [inline]
BUG: KASAN: slab-use-after-free in vidtv_mux_init+0xac2/0xbe0 drivers/media/test-drivers/vidtv/vidtv_mux.c:524
Read of size 8 at addr ffff88802fa42acc by task syz.2.37/6059
CPU: 0 UID: 0 PID: 6059 Comm: syz.2.37 Not tainted 6.14.0-rc5-syzkaller #0
Hardware name: Google Compute Engine, BIOS Google 02/12/2025
Call Trace:
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:408 [inline]
print_report+0xc3/0x670 mm/kasan/report.c:521
kasan_report+0xd9/0x110 mm/kasan/report.c:634
vidtv_mux_pid_ctx_init drivers/media/test-drivers/vidtv/vidtv_mux.c:78
vidtv_mux_init+0xac2/0xbe0 drivers/media/test-drivers/vidtv/vidtv_mux.c:524
vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194
vidtv_start_feed drivers/media/test-drivers/vidtv/vidtv_bridge.c:239
dmx_section_feed_start_filtering drivers/media/dvb-core/dvb_demux.c:973
dvb_dmxdev_feed_start drivers/media/dvb-core/dmxdev.c:508 [inline]
dvb_dmxdev_feed_restart.isra.0 drivers/media/dvb-core/dmxdev.c:537
dvb_dmxdev_filter_stop+0x2b4/0x3a0 drivers/media/dvb-core/dmxdev.c:564
dvb_dmxdev_filter_free drivers/media/dvb-core/dmxdev.c:840 [inline]
dvb_demux_release+0x92/0x550 drivers/media/dvb-core/dmxdev.c:1246
__fput+0x3ff/0xb70 fs/file_table.c:464
task_work_run+0x14e/0x250 kernel/task_work.c:227
exit_task_work include/linux/task_work.h:40 [inline]
do_exit+0xad8/0x2d70 kernel/exit.c:938
do_group_exit+0xd3/0x2a0 kernel/exit.c:1087
__do_sys_exit_grou
Affected
25 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | linux | < linux 6.1.147-1 (bookworm) | linux 6.1.147-1 (bookworm) |
| debian | linux-6.1 | < linux 6.1.147-1 (bookworm) | linux 6.1.147-1 (bookworm) |
| linux | linux | — | — |
| linux | linux | >= 3be8037960bccd13052cfdeba8805ad785041d70 < e1d72ff111eceea6b28dccb7ca4e8f4900b11729 | e1d72ff111eceea6b28dccb7ca4e8f4900b11729 |
| linux | linux | >= 3be8037960bccd13052cfdeba8805ad785041d70 < 7e62be1f3b241bc9faee547864bb39332955509b | 7e62be1f3b241bc9faee547864bb39332955509b |
| linux | linux | >= 3be8037960bccd13052cfdeba8805ad785041d70 < 685c18bc5a36f823ee725e85aac1303ef5f535ba | 685c18bc5a36f823ee725e85aac1303ef5f535ba |
| linux | linux | >= 3be8037960bccd13052cfdeba8805ad785041d70 < 9824e1732a163e005aa84e12ec439493ebd4f097 | 9824e1732a163e005aa84e12ec439493ebd4f097 |
| linux | linux | >= 3be8037960bccd13052cfdeba8805ad785041d70 < 72541cae73d0809a6416bfcd2ee6473046a0013a | 72541cae73d0809a6416bfcd2ee6473046a0013a |
| linux | linux | >= 3be8037960bccd13052cfdeba8805ad785041d70 < f8c2483be6e8bb6c2148315b4a924c65bb442b5e | f8c2483be6e8bb6c2148315b4a924c65bb442b5e |
| linux | linux | >= 3be8037960bccd13052cfdeba8805ad785041d70 < 1d5f88f053480326873115092bc116b7d14916ba | 1d5f88f053480326873115092bc116b7d14916ba |
| linux | linux_kernel | — | — |
| linux | linux_kernel | >= 0 < 5.10.244-1 | 5.10.244-1 |
| linux | linux_kernel | >= 0 < 6.1.147-1 | 6.1.147-1 |
| linux | linux_kernel | >= 0 < 6.12.35-1 | 6.12.35-1 |
| linux | linux_kernel | >= 0 < 6.12.35-1 | 6.12.35-1 |
| linux | linux_kernel | >= 0 < 5.15.0-156.166 | 5.15.0-156.166 |
| linux | linux_kernel | >= 0 < 6.8.0-88.89 | 6.8.0-88.89 |
| linux | linux_kernel | >= 5.10.1 < 5.10.239 | 5.10.239 |
| linux | linux_kernel | >= 5.11 < 5.15.186 | 5.15.186 |
| linux | linux_kernel | >= 5.16 < 6.1.142 | 6.1.142 |
| linux | linux_kernel | >= 6.13 < 6.15.4 | 6.15.4 |
| linux | linux_kernel | >= 6.2 < 6.6.95 | 6.6.95 |
| linux | linux_kernel | >= 6.7 < 6.12.35 | 6.12.35 |
| msrc | azl3_kernel_6.6.92.2-2_on_azure_linux_3.0 | — | — |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv7.8HIGH