7.8

CVE-2025-23158

media: venus: hfi: add check to handle incorrect queue size

In the Linux kernel, the following vulnerability has been resolved:

media: venus: hfi: add check to handle incorrect queue size

qsize represents size of shared queued between driver and video
firmware. Firmware can modify this value to an invalid large value. In
such situation, empty_space will be bigger than the space actually
available. Since new_wr_idx is not checked, so the following code will
result in an OOB write.
...
qsize = qhdr->q_size

if (wr_idx >= rd_idx)
 empty_space = qsize - (wr_idx - rd_idx)
....
if (new_wr_idx < qsize) {
 memcpy(wr_ptr, packet, dwords << 2) --> OOB write

Add check to ensure qsize is within the allocated size while
reading and writing packets into the queue.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 4.13 < 5.4.293
LinuxLinux Kernel Version >= 5.5 < 5.10.237
LinuxLinux Kernel Version >= 5.11 < 5.15.181
LinuxLinux Kernel Version >= 5.16 < 6.1.135
LinuxLinux Kernel Version >= 6.2 < 6.6.88
LinuxLinux Kernel Version >= 6.7 < 6.12.24
LinuxLinux Kernel Version >= 6.13 < 6.13.12
LinuxLinux Kernel Version >= 6.14 < 6.14.3
DebianDebian Linux Version11.0
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.19% 0.082
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.8 1.8 5.9
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-787 Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

https://git.kernel.org/stable/c/cf5f7bb4e0d786f4d9d50ae6b5963935eab71d75
Patch
https://git.kernel.org/stable/c/40084302f639b3fe954398c5ba5ee556b7242b54
Patch
https://git.kernel.org/stable/c/679424f8b31446f90080befd0300ea915485b096
Patch
https://git.kernel.org/stable/c/edb89d69b1438681daaf5ca90aed3242df94cc96
Patch
https://git.kernel.org/stable/c/101a86619aab42bb61f2253bbf720121022eab86
Patch
https://git.kernel.org/stable/c/69baf245b23e20efda0079238b27fc63ecf13de1
Patch
https://git.kernel.org/stable/c/1b86c1917e16bafbbb08ab90baaff533aa36c62d
Patch
https://git.kernel.org/stable/c/32af5c1fdb9bc274f52ee0472d3b060b18e4aab4
Patch
https://git.kernel.org/stable/c/a45957bcde529169188929816775a575de77d84f
Patch
https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html
Mailing List
https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html
Mailing List