CVE-2025-38558

EPSS 0.02%
Veröffentlicht 19.08.2025 17:15:32
Zuletzt bearbeitet 20.08.2025 14:40:17
Quelle 416baaa9-dc9f-4396-8d5f-8c081f
Teams Watchlist Login
Unerledigt Login

In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: uvc: Initialize frame-based format color matching descriptor

Fix NULL pointer crash in uvcg_framebased_make due to uninitialized color
matching descriptor for frame-based format which was added in
commit f5e7bdd34aca ("usb: gadget: uvc: Allow creating new color matching
descriptors") that added handling for uncompressed and mjpeg format.

Crash is seen when userspace configuration (via configfs) does not
explicitly define the color matching descriptor. If color_matching is not
found, config_group_find_item() returns NULL. The code then jumps to
out_put_cm, where it calls config_item_put(color_matching);. If
color_matching is NULL, this will dereference a null pointer, leading to a
crash.

[    2.746440] Unable to handle kernel NULL pointer dereference at virtual address 000000000000008c
[    2.756273] Mem abort info:
[    2.760080]   ESR = 0x0000000096000005
[    2.764872]   EC = 0x25: DABT (current EL), IL = 32 bits
[    2.771068]   SET = 0, FnV = 0
[    2.771069]   EA = 0, S1PTW = 0
[    2.771070]   FSC = 0x05: level 1 translation fault
[    2.771071] Data abort info:
[    2.771072]   ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000
[    2.771073]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[    2.771074]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[    2.771075] user pgtable: 4k pages, 39-bit VAs, pgdp=00000000a3e59000
[    2.771077] [000000000000008c] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000
[    2.771081] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP
[    2.771084] Dumping ftrace buffer:
[    2.771085]    (ftrace buffer empty)
[    2.771138] CPU: 7 PID: 486 Comm: ln Tainted: G        W   E      6.6.58-android15
[    2.771139] Hardware name: Qualcomm Technologies, Inc. SunP QRD HDK (DT)
[    2.771140] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
[    2.771141] pc : __uvcg_fill_strm+0x198/0x2cc
[    2.771145] lr : __uvcg_iter_strm_cls+0xc8/0x17c
[    2.771146] sp : ffffffc08140bbb0
[    2.771146] x29: ffffffc08140bbb0 x28: ffffff803bc81380 x27: ffffff8023bbd250
[    2.771147] x26: ffffff8023bbd250 x25: ffffff803c361348 x24: ffffff803d8e6768
[    2.771148] x23: 0000000000000004 x22: 0000000000000003 x21: ffffffc08140bc48
[    2.771149] x20: 0000000000000000 x19: ffffffc08140bc48 x18: ffffffe9f8cf4a00
[    2.771150] x17: 000000001bf64ec3 x16: 000000001bf64ec3 x15: ffffff8023bbd250
[    2.771151] x14: 000000000000000f x13: 004c4b40000f4240 x12: 000a2c2a00051615
[    2.771152] x11: 000000000000004f x10: ffffffe9f76b40ec x9 : ffffffe9f7e389d0
[    2.771153] x8 : ffffff803d0d31ce x7 : 000f4240000a2c2a x6 : 0005161500028b0a
[    2.771154] x5 : ffffff803d0d31ce x4 : 0000000000000003 x3 : 0000000000000000
[    2.771155] x2 : ffffffc08140bc50 x1 : ffffffc08140bc48 x0 : 0000000000000000
[    2.771156] Call trace:
[    2.771157]  __uvcg_fill_strm+0x198/0x2cc
[    2.771157]  __uvcg_iter_strm_cls+0xc8/0x17c
[    2.771158]  uvcg_streaming_class_allow_link+0x240/0x290
[    2.771159]  configfs_symlink+0x1f8/0x630
[    2.771161]  vfs_symlink+0x114/0x1a0
[    2.771163]  do_symlinkat+0x94/0x28c
[    2.771164]  __arm64_sys_symlinkat+0x54/0x70
[    2.771164]  invoke_syscall+0x58/0x114
[    2.771166]  el0_svc_common+0x80/0xe0
[    2.771168]  do_el0_svc+0x1c/0x28
[    2.771169]  el0_svc+0x3c/0x70
[    2.771172]  el0t_64_sync_handler+0x68/0xbc
[    2.771173]  el0t_64_sync+0x1a8/0x1ac

Initialize color matching descriptor for frame-based format to prevent
NULL pointer crash by mirroring the handling done for uncompressed and
mjpeg formats.

Betroffene Produkte Warnungen 0 Metriken 1 CWE 0 Referenzen 6

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerLinux

≫

Produkt Linux

Default Statusunaffected

Version < 6db61c1aa23075eeee90e083ca3f6567a5635da6

Version 7b5a58952fc3b51905c2963647485565df1e5e26

Status affected

Version < 7f8576fc9d1a203d12474bf52710c7af68cae490

Version 7b5a58952fc3b51905c2963647485565df1e5e26

Status affected

Version < 323a80a1a5ace319a722909c006d5bdb2a35d273

Version 7b5a58952fc3b51905c2963647485565df1e5e26

Status affected

HerstellerLinux

≫

Produkt Linux

Default Statusaffected

Version 6.13

Status affected

Version < 6.13

Version 0

Status unaffected

Version <= 6.15.*

Version 6.15.10

Status unaffected

Version <= 6.16.*

Version 6.16.1

Status unaffected

Version <= *

Version 6.17-rc1

Status unaffected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.049

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String

https://git.kernel.org/stable/c/323a80a1a5ace319a722909c006d5bdb2a35d273

https://git.kernel.org/stable/c/6db61c1aa23075eeee90e083ca3f6567a5635da6

https://git.kernel.org/stable/c/7f8576fc9d1a203d12474bf52710c7af68cae490

https://nvd.nist.gov/vuln/detail/CVE-2025-38558

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-38558

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-38558

EUVD