CVE-2025-38227
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-38227
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-38227.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-38227
- Downstream
- Related
- Published
- 2025-07-04T13:37:41Z
- Modified
- 2025-10-16T03:40:39.067208Z
- Summary
- media: vidtv: Terminating the subsequent process of initialization failure
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
media: vidtv: Terminating the subsequent process of initialization failure
syzbot reported a slab-use-after-free Read in vidtvmuxinit. [1]
After PSI initialization fails, the si member is accessed again, resulting in this uaf.
After si initialization fails, the subsequent process needs to be exited.
[1] BUG: KASAN: slab-use-after-free in vidtvmuxpidctxinit drivers/media/test-drivers/vidtv/vidtvmux.c:78 [inline] BUG: KASAN: slab-use-after-free in vidtvmuxinit+0xac2/0xbe0 drivers/media/test-drivers/vidtv/vidtvmux.c:524 Read of size 8 at addr ffff88802fa42acc by task syz.2.37/6059
CPU: 0 UID: 0 PID: 6059 Comm: syz.2.37 Not tainted 6.14.0-rc5-syzkaller #0 Hardware name: Google Compute Engine, BIOS Google 02/12/2025 Call Trace: <TASK> _dumpstack lib/dumpstack.c:94 [inline] dumpstacklvl+0x116/0x1f0 lib/dumpstack.c:120 printaddressdescription mm/kasan/report.c:408 [inline] printreport+0xc3/0x670 mm/kasan/report.c:521 kasanreport+0xd9/0x110 mm/kasan/report.c:634 vidtvmuxpidctxinit drivers/media/test-drivers/vidtv/vidtvmux.c:78 vidtvmuxinit+0xac2/0xbe0 drivers/media/test-drivers/vidtv/vidtvmux.c:524 vidtvstartstreaming drivers/media/test-drivers/vidtv/vidtvbridge.c:194 vidtvstartfeed drivers/media/test-drivers/vidtv/vidtvbridge.c:239 dmxsectionfeedstartfiltering drivers/media/dvb-core/dvbdemux.c:973 dvbdmxdevfeedstart drivers/media/dvb-core/dmxdev.c:508 [inline] dvbdmxdevfeedrestart.isra.0 drivers/media/dvb-core/dmxdev.c:537 dvbdmxdevfilterstop+0x2b4/0x3a0 drivers/media/dvb-core/dmxdev.c:564 dvbdmxdevfilterfree drivers/media/dvb-core/dmxdev.c:840 [inline] dvbdemuxrelease+0x92/0x550 drivers/media/dvb-core/dmxdev.c:1246 _fput+0x3ff/0xb70 fs/filetable.c:464 taskworkrun+0x14e/0x250 kernel/taskwork.c:227 exittaskwork include/linux/taskwork.h:40 [inline] doexit+0xad8/0x2d70 kernel/exit.c:938 dogroupexit+0xd3/0x2a0 kernel/exit.c:1087 _dosysexitgroup kernel/exit.c:1098 [inline] _sesysexitgroup kernel/exit.c:1096 [inline] _x64sysexitgroup+0x3e/0x50 kernel/exit.c:1096 x64syscall+0x151f/0x1720 arch/x86/include/generated/asm/syscalls64.h:232 dosyscallx64 arch/x86/entry/common.c:52 [inline] dosyscall64+0xcd/0x250 arch/x86/entry/common.c:83 entrySYSCALL64afterhwframe+0x77/0x7f RIP: 0033:0x7f871d58d169 Code: Unable to access opcode bytes at 0x7f871d58d13f. RSP: 002b:00007fff4b19a788 EFLAGS: 00000246 ORIGRAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f871d58d169 RDX: 0000000000000064 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 00007fff4b19a7ec R08: 0000000b4b19a87f R09: 00000000000927c0 R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000003 R13: 00000000000927c0 R14: 000000000001d553 R15: 00007fff4b19a840 </TASK>
Allocated by task 6059: kasansavestack+0x33/0x60 mm/kasan/common.c:47 kasansavetrack+0x14/0x30 mm/kasan/common.c:68 poisonkmallocredzone mm/kasan/common.c:377 [inline] _kasankmalloc+0xaa/0xb0 mm/kasan/common.c:394 kmallocnoprof include/linux/slab.h:901 [inline] kzallocnoprof include/linux/slab.h:1037 [inline] vidtvpsipattableinit drivers/media/test-drivers/vidtv/vidtvpsi.c:970 vidtvchannelsiinit drivers/media/test-drivers/vidtv/vidtvchannel.c:423 vidtvmuxinit drivers/media/test-drivers/vidtv/vidtvmux.c:519 vidtvstartstreaming drivers/media/test-drivers/vidtv/vidtvbridge.c:194 vidtvstartfeed drivers/media/test-drivers/vidtv/vidtvbridge.c:239 dmxsectionfeedstartfiltering drivers/media/dvb-core/dvbdemux.c:973 dvbdmxdevfeedstart drivers/media/dvb-core/dmxdev.c:508 [inline] dvbdmxdevfeedrestart.isra.0 drivers/media/dvb-core/dmxdev.c:537 dvbdmxdevfilterstop+0x2b4/0x3a0 drivers/media/dvb-core/dmxdev.c:564 dvbdmxdevfilterfree drivers/media/dvb-core/dmxdev.c:840 [inline] dvbdemuxrelease+0x92/0x550 drivers/media/dvb-core/dmxdev.c:1246 _fput+0x3ff/0xb70 fs/file_tabl ---truncated---
- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/1d5f88f053480326873115092bc116b7d14916ba
- https://git.kernel.org/stable/c/685c18bc5a36f823ee725e85aac1303ef5f535ba
- https://git.kernel.org/stable/c/72541cae73d0809a6416bfcd2ee6473046a0013a
- https://git.kernel.org/stable/c/7e62be1f3b241bc9faee547864bb39332955509b
- https://git.kernel.org/stable/c/9824e1732a163e005aa84e12ec439493ebd4f097
- https://git.kernel.org/stable/c/e1d72ff111eceea6b28dccb7ca4e8f4900b11729
- https://git.kernel.org/stable/c/f8c2483be6e8bb6c2148315b4a924c65bb442b5e
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced3be8037960bccd13052cfdeba8805ad785041d70Fixede1d72ff111eceea6b28dccb7ca4e8f4900b11729
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced3be8037960bccd13052cfdeba8805ad785041d70Fixed7e62be1f3b241bc9faee547864bb39332955509b
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced3be8037960bccd13052cfdeba8805ad785041d70Fixed685c18bc5a36f823ee725e85aac1303ef5f535ba
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced3be8037960bccd13052cfdeba8805ad785041d70Fixed9824e1732a163e005aa84e12ec439493ebd4f097
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced3be8037960bccd13052cfdeba8805ad785041d70Fixed72541cae73d0809a6416bfcd2ee6473046a0013a
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced3be8037960bccd13052cfdeba8805ad785041d70Fixedf8c2483be6e8bb6c2148315b4a924c65bb442b5e
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced3be8037960bccd13052cfdeba8805ad785041d70Fixed1d5f88f053480326873115092bc116b7d14916ba
Affected versions
v5.*
v6.*
Linux / Kernel
Package
- Name
- Kernel
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced5.10.0Fixed5.10.239
- Type
- ECOSYSTEM
- Events
-
Introduced5.11.0Fixed5.15.186
- Type
- ECOSYSTEM
- Events
-
Introduced5.16.0Fixed6.1.142
- Type
- ECOSYSTEM
- Events
-
Introduced6.2.0Fixed6.6.95
- Type
- ECOSYSTEM
- Events
-
Introduced6.7.0Fixed6.12.35
- Type
- ECOSYSTEM
- Events
-
Introduced6.13.0Fixed6.15.4