CVE-2025-38226

EPSS 0.04%
Published 04.07.2025 13:37:40
Last modified 17.07.2025 17:15:37
Source 416baaa9-dc9f-4396-8d5f-8c081f
Teams watchlist Login
Open Login

In the Linux kernel, the following vulnerability has been resolved:

media: vivid: Change the siize of the composing

syzkaller found a bug:

BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2608 [inline]
BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_buffer+0x1a9c/0x5af0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2705
Write of size 1440 at addr ffffc9000d0ffda0 by task vivid-000-vid-c/5304

CPU: 0 UID: 0 PID: 5304 Comm: vivid-000-vid-c Not tainted 6.14.0-rc2-syzkaller-00039-g09fbf3d50205 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014

Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0x169/0x550 mm/kasan/report.c:489
 kasan_report+0x143/0x180 mm/kasan/report.c:602
 kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
 __asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106
 tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2608 [inline]
 tpg_fill_plane_buffer+0x1a9c/0x5af0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2705
 vivid_fillbuff drivers/media/test-drivers/vivid/vivid-kthread-cap.c:470 [inline]
 vivid_thread_vid_cap_tick+0xf8e/0x60d0 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:629
 vivid_thread_vid_cap+0x8aa/0xf30 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:767
 kthread+0x7a9/0x920 kernel/kthread.c:464
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>

The composition size cannot be larger than the size of fmt_cap_rect.
So execute v4l2_rect_map_inside() even if has_compose_cap == 0.

Affected products Warnungen 0 Metrics 1 CWE 0 References 11

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

This information is available to logged-in users.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

VendorLinux

≫

Product Linux

Default Statusunaffected

Version < 57597d8db5bbda618ba2145b7e8a7e6f01b6a27e

Version 54f259906039dbfe46c550011409fa16f72370f6

Status affected

Version < 635cea4f44c1ddae208666772c164eab5a6bce39

Version f9d19f3a044ca651b0be52a4bf951ffe74259b9f

Status affected

Version < 89b5ab822bf69867c3951dd0eb34b0314c38966b

Version ab54081a2843aefb837812fac5488cc8f1696142

Status affected

Version < 5d89aa42534723400fefd46e26e053b9c382b4ee

Version 2f558c5208b0f70c8140e08ce09fcc84da48e789

Status affected

Version < f6b1b0f8ba0b61d8b511df5649d57235f230c135

Version 94a7ad9283464b75b12516c5512541d467cefcf8

Status affected

Version < 00da1c767a6567e56f23dda586847586868ac064

Version 94a7ad9283464b75b12516c5512541d467cefcf8

Status affected

Version < c56398885716d97ee9bcadb2bc9663a8c1757a34

Version 94a7ad9283464b75b12516c5512541d467cefcf8

Status affected

Version < f83ac8d30c43fd902af7c84c480f216157b60ef0

Version 94a7ad9283464b75b12516c5512541d467cefcf8

Status affected

Version 8c0ee15d9a102c732d0745566d254040085d5663

Status affected

Version 5edc3604151919da8da0fb092b71d7dce07d848a

Status affected

Version 9c7fba9503b826f0c061d136f8f0c9f953ed18b9

Status affected

Version ccb5392c4fea0e7d9f7ab35567e839d74cb3998b

Status affected

VendorLinux

≫

Product Linux

Default Statusaffected

Version 6.2

Status affected

Version < 6.2

Version 0

Status unaffected

Version <= 5.4.*

Version 5.4.296

Status unaffected

Version <= 5.10.*

Version 5.10.239

Status unaffected

Version <= 5.15.*

Version 5.15.186

Status unaffected

Version <= 6.1.*

Version 6.1.142

Status unaffected

Version <= 6.6.*

Version 6.6.95

Status unaffected

Version <= 6.12.*

Version 6.12.35

Status unaffected

Version <= 6.15.*

Version 6.15.4

Status unaffected

Version <= *

Version 6.16

Status unaffected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.04%	0.097

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string

https://git.kernel.org/stable/c/635cea4f44c1ddae208666772c164eab5a6bce39

https://git.kernel.org/stable/c/89b5ab822bf69867c3951dd0eb34b0314c38966b

https://git.kernel.org/stable/c/5d89aa42534723400fefd46e26e053b9c382b4ee

https://git.kernel.org/stable/c/f6b1b0f8ba0b61d8b511df5649d57235f230c135

https://git.kernel.org/stable/c/00da1c767a6567e56f23dda586847586868ac064

https://git.kernel.org/stable/c/c56398885716d97ee9bcadb2bc9663a8c1757a34

https://git.kernel.org/stable/c/f83ac8d30c43fd902af7c84c480f216157b60ef0

https://git.kernel.org/stable/c/57597d8db5bbda618ba2145b7e8a7e6f01b6a27e

https://nvd.nist.gov/vuln/detail/CVE-2025-38226

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-38226

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-38226

EUVD