Vulnerability-Lookup

CERTFR-2025-AVI-0825

Vulnerability from certfr_avis - Published: 2025-09-26 - Updated: 2025-09-26

De multiples vulnérabilités ont été découvertes dans le noyau Linux de Debian. Elles permettent à un attaquant de provoquer une élévation de privilèges, une atteinte à la confidentialité des données et un déni de service.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

	Vendor	Product	Description
	Debian	Debian	Debian trixie versions antérieures à 6.12.48-1
	Debian	Debian	Debian bookworm versions antérieures à 6.1.153-1

References

Title

Publication Time

CVE-2025-39706 (GCVE-0-2025-39706)

Vulnerability from cvelistv5 – Published: 2025-09-05 17:21 – Updated: 2026-05-12 12:06

Title

drm/amdkfd: Destroy KFD debugfs after destroy KFD wq

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Destroy KFD debugfs after destroy KFD wq Since KFD proc content was moved to kernel debugfs, we can't destroy KFD debugfs before kfd_process_destroy_wq. Move kfd_process_destroy_wq prior to kfd_debugfs_fini to fix a kernel NULL pointer problem. It happens when /sys/kernel/debug/kfd was already destroyed in kfd_debugfs_fini but kfd_process_destroy_wq calls kfd_debugfs_remove_process. This line debugfs_remove_recursive(entry->proc_dentry); tries to remove /sys/kernel/debug/kfd/proc/<pid> while /sys/kernel/debug/kfd is already gone. It hangs the kernel by kernel NULL pointer. (cherry picked from commit 0333052d90683d88531558dcfdbf2525cc37c233)

Severity

No CVSS data available.

Assigner

Linux

References

7 references

URL	Tags
https://git.kernel.org/stable/c/fc35c955da799ba62…
https://git.kernel.org/stable/c/74ee7445c3b61c3bd…
https://git.kernel.org/stable/c/96609a51e6134542b…
https://git.kernel.org/stable/c/910735ded17cc3066…
https://git.kernel.org/stable/c/2e58401a24e7b2d4e…
https://lists.debian.org/debian-lts-announce/2025…
https://cert-portal.siemens.com/productcert/html/…

Impacted products

3 products

Vendor	Product	Version
Linux	Linux	Affected: 4a488a7ad71401169cecee75dc94bcce642e2c53 , < fc35c955da799ba62f6f977d58e0866d0251e3f8 (git) Affected: 4a488a7ad71401169cecee75dc94bcce642e2c53 , < 74ee7445c3b61c3bd899a54bd82c1982cb3a8206 (git) Affected: 4a488a7ad71401169cecee75dc94bcce642e2c53 , < 96609a51e6134542bf90e053c2cd2fe4f61ebce3 (git) Affected: 4a488a7ad71401169cecee75dc94bcce642e2c53 , < 910735ded17cc306625e7e1cdcc8102f7ac60994 (git) Affected: 4a488a7ad71401169cecee75dc94bcce642e2c53 , < 2e58401a24e7b2d4ec619104e1a76590c1284a4c (git)
Linux	Linux	Affected: 3.19 Unaffected: 0 , < 3.19 (semver) Unaffected: 6.1.149 , ≤ 6.1.* (semver) Unaffected: 6.6.103 , ≤ 6.6.* (semver) Unaffected: 6.12.44 , ≤ 6.12.* (semver) Unaffected: 6.16.4 , ≤ 6.16.* (semver) Unaffected: 6.17 , ≤ * (original_commit_for_fix)
Siemens	SIMATIC CN 4100	Affected: 0 , < V5.0 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:42:33.582Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC CN 4100",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "V5.0",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-12T12:06:26.796Z",
          "orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
          "shortName": "siemens-SADP"
        },
        "references": [
          {
            "url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
          }
        ],
        "x_adpType": "supplier"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/amdkfd/kfd_module.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "fc35c955da799ba62f6f977d58e0866d0251e3f8",
              "status": "affected",
              "version": "4a488a7ad71401169cecee75dc94bcce642e2c53",
              "versionType": "git"
            },
            {
              "lessThan": "74ee7445c3b61c3bd899a54bd82c1982cb3a8206",
              "status": "affected",
              "version": "4a488a7ad71401169cecee75dc94bcce642e2c53",
              "versionType": "git"
            },
            {
              "lessThan": "96609a51e6134542bf90e053c2cd2fe4f61ebce3",
              "status": "affected",
              "version": "4a488a7ad71401169cecee75dc94bcce642e2c53",
              "versionType": "git"
            },
            {
              "lessThan": "910735ded17cc306625e7e1cdcc8102f7ac60994",
              "status": "affected",
              "version": "4a488a7ad71401169cecee75dc94bcce642e2c53",
              "versionType": "git"
            },
            {
              "lessThan": "2e58401a24e7b2d4ec619104e1a76590c1284a4c",
              "status": "affected",
              "version": "4a488a7ad71401169cecee75dc94bcce642e2c53",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/amdkfd/kfd_module.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.19"
            },
            {
              "lessThan": "3.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.149",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.103",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.44",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.149",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.103",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.44",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.4",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Destroy KFD debugfs after destroy KFD wq\n\nSince KFD proc content was moved to kernel debugfs, we can\u0027t destroy KFD\ndebugfs before kfd_process_destroy_wq. Move kfd_process_destroy_wq prior\nto kfd_debugfs_fini to fix a kernel NULL pointer problem. It happens\nwhen /sys/kernel/debug/kfd was already destroyed in kfd_debugfs_fini but\nkfd_process_destroy_wq calls kfd_debugfs_remove_process. This line\n    debugfs_remove_recursive(entry-\u003eproc_dentry);\ntries to remove /sys/kernel/debug/kfd/proc/\u003cpid\u003e while\n/sys/kernel/debug/kfd is already gone. It hangs the kernel by kernel\nNULL pointer.\n\n(cherry picked from commit 0333052d90683d88531558dcfdbf2525cc37c233)"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:34:41.222Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/fc35c955da799ba62f6f977d58e0866d0251e3f8"
        },
        {
          "url": "https://git.kernel.org/stable/c/74ee7445c3b61c3bd899a54bd82c1982cb3a8206"
        },
        {
          "url": "https://git.kernel.org/stable/c/96609a51e6134542bf90e053c2cd2fe4f61ebce3"
        },
        {
          "url": "https://git.kernel.org/stable/c/910735ded17cc306625e7e1cdcc8102f7ac60994"
        },
        {
          "url": "https://git.kernel.org/stable/c/2e58401a24e7b2d4ec619104e1a76590c1284a4c"
        }
      ],
      "title": "drm/amdkfd: Destroy KFD debugfs after destroy KFD wq",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39706",
    "datePublished": "2025-09-05T17:21:12.841Z",
    "dateReserved": "2025-04-16T07:20:57.116Z",
    "dateUpdated": "2026-05-12T12:06:26.796Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-39707 (GCVE-0-2025-39707)

Vulnerability from cvelistv5 – Published: 2025-09-05 17:21 – Updated: 2026-05-11 21:34

Title

drm/amdgpu: check if hubbub is NULL in debugfs/amdgpu_dm_capabilities

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: check if hubbub is NULL in debugfs/amdgpu_dm_capabilities HUBBUB structure is not initialized on DCE hardware, so check if it is NULL to avoid null dereference while accessing amdgpu_dm_capabilities file in debugfs.

Severity

No CVSS data available.

Assigner

Linux

References

3 references

URL	Tags
https://git.kernel.org/stable/c/83cfdc2b018cd9c0f…
https://git.kernel.org/stable/c/98e92fceb9507901e…
https://git.kernel.org/stable/c/b4a69f7f29c8a459a…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < 83cfdc2b018cd9c0f927b781d4e07c0d4a911fac (git) Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < 98e92fceb9507901e3e8b550e93b843306abd354 (git) Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < b4a69f7f29c8a459ad6b4d8a8b72450f1d9fd288 (git)
Linux	Linux	Affected: 4.15 Unaffected: 0 , < 4.15 (semver) Unaffected: 6.12.44 , ≤ 6.12.* (semver) Unaffected: 6.16.4 , ≤ 6.16.* (semver) Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "83cfdc2b018cd9c0f927b781d4e07c0d4a911fac",
              "status": "affected",
              "version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
              "versionType": "git"
            },
            {
              "lessThan": "98e92fceb9507901e3e8b550e93b843306abd354",
              "status": "affected",
              "version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
              "versionType": "git"
            },
            {
              "lessThan": "b4a69f7f29c8a459ad6b4d8a8b72450f1d9fd288",
              "status": "affected",
              "version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.15"
            },
            {
              "lessThan": "4.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.44",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.44",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.4",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: check if hubbub is NULL in debugfs/amdgpu_dm_capabilities\n\nHUBBUB structure is not initialized on DCE hardware, so check if it is NULL\nto avoid null dereference while accessing amdgpu_dm_capabilities file in\ndebugfs."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:34:42.331Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/83cfdc2b018cd9c0f927b781d4e07c0d4a911fac"
        },
        {
          "url": "https://git.kernel.org/stable/c/98e92fceb9507901e3e8b550e93b843306abd354"
        },
        {
          "url": "https://git.kernel.org/stable/c/b4a69f7f29c8a459ad6b4d8a8b72450f1d9fd288"
        }
      ],
      "title": "drm/amdgpu: check if hubbub is NULL in debugfs/amdgpu_dm_capabilities",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39707",
    "datePublished": "2025-09-05T17:21:13.958Z",
    "dateReserved": "2025-04-16T07:20:57.116Z",
    "dateUpdated": "2026-05-11T21:34:42.331Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-39709 (GCVE-0-2025-39709)

Vulnerability from cvelistv5 – Published: 2025-09-05 17:21 – Updated: 2026-05-12 12:06

Title

media: venus: protect against spurious interrupts during probe

Summary

In the Linux kernel, the following vulnerability has been resolved: media: venus: protect against spurious interrupts during probe Make sure the interrupt handler is initialized before the interrupt is registered. If the IRQ is registered before hfi_create(), it's possible that an interrupt fires before the handler setup is complete, leading to a NULL dereference. This error condition has been observed during system boot on Rb3Gen2.

Severity

No CVSS data available.

Assigner

Linux

References

11 references

URL	Tags
https://git.kernel.org/stable/c/18c2b2bd982b85463…
https://git.kernel.org/stable/c/88cf63c2599761c48…
https://git.kernel.org/stable/c/9db6a78bc5e418e00…
https://git.kernel.org/stable/c/37cc0ac889b018097…
https://git.kernel.org/stable/c/f54be97bc69b10961…
https://git.kernel.org/stable/c/639eb587f977c0242…
https://git.kernel.org/stable/c/e796028b4835af00d…
https://git.kernel.org/stable/c/3200144a2fa4209dc…
https://lists.debian.org/debian-lts-announce/2025…
https://lists.debian.org/debian-lts-announce/2025…
https://cert-portal.siemens.com/productcert/html/…

Impacted products

3 products

Vendor	Product	Version
Linux	Linux	Affected: af2c3834c8ca7cc65d15592ac671933df8848115 , < 18c2b2bd982b8546312c9a7895515672169f28e0 (git) Affected: af2c3834c8ca7cc65d15592ac671933df8848115 , < 88cf63c2599761c48dec8f618d57dccf8f6f4b53 (git) Affected: af2c3834c8ca7cc65d15592ac671933df8848115 , < 9db6a78bc5e418e0064e2248c8f3b9b9e8418646 (git) Affected: af2c3834c8ca7cc65d15592ac671933df8848115 , < 37cc0ac889b018097c217c5929fd6dc2aed636a1 (git) Affected: af2c3834c8ca7cc65d15592ac671933df8848115 , < f54be97bc69b1096198b6717c150dec69f2a1b4d (git) Affected: af2c3834c8ca7cc65d15592ac671933df8848115 , < 639eb587f977c02423f4762467055b23902b4131 (git) Affected: af2c3834c8ca7cc65d15592ac671933df8848115 , < e796028b4835af00d9a38ebbb208ec3a6634702a (git) Affected: af2c3834c8ca7cc65d15592ac671933df8848115 , < 3200144a2fa4209dc084a19941b9b203b43580f0 (git)
Linux	Linux	Affected: 4.13 Unaffected: 0 , < 4.13 (semver) Unaffected: 5.4.297 , ≤ 5.4.* (semver) Unaffected: 5.10.241 , ≤ 5.10.* (semver) Unaffected: 5.15.190 , ≤ 5.15.* (semver) Unaffected: 6.1.149 , ≤ 6.1.* (semver) Unaffected: 6.6.103 , ≤ 6.6.* (semver) Unaffected: 6.12.44 , ≤ 6.12.* (semver) Unaffected: 6.16.4 , ≤ 6.16.* (semver) Unaffected: 6.17 , ≤ * (original_commit_for_fix)
Siemens	SIMATIC CN 4100	Affected: 0 , < V5.0 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:42:35.451Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC CN 4100",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "V5.0",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-12T12:06:27.910Z",
          "orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
          "shortName": "siemens-SADP"
        },
        "references": [
          {
            "url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
          }
        ],
        "x_adpType": "supplier"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/platform/qcom/venus/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "18c2b2bd982b8546312c9a7895515672169f28e0",
              "status": "affected",
              "version": "af2c3834c8ca7cc65d15592ac671933df8848115",
              "versionType": "git"
            },
            {
              "lessThan": "88cf63c2599761c48dec8f618d57dccf8f6f4b53",
              "status": "affected",
              "version": "af2c3834c8ca7cc65d15592ac671933df8848115",
              "versionType": "git"
            },
            {
              "lessThan": "9db6a78bc5e418e0064e2248c8f3b9b9e8418646",
              "status": "affected",
              "version": "af2c3834c8ca7cc65d15592ac671933df8848115",
              "versionType": "git"
            },
            {
              "lessThan": "37cc0ac889b018097c217c5929fd6dc2aed636a1",
              "status": "affected",
              "version": "af2c3834c8ca7cc65d15592ac671933df8848115",
              "versionType": "git"
            },
            {
              "lessThan": "f54be97bc69b1096198b6717c150dec69f2a1b4d",
              "status": "affected",
              "version": "af2c3834c8ca7cc65d15592ac671933df8848115",
              "versionType": "git"
            },
            {
              "lessThan": "639eb587f977c02423f4762467055b23902b4131",
              "status": "affected",
              "version": "af2c3834c8ca7cc65d15592ac671933df8848115",
              "versionType": "git"
            },
            {
              "lessThan": "e796028b4835af00d9a38ebbb208ec3a6634702a",
              "status": "affected",
              "version": "af2c3834c8ca7cc65d15592ac671933df8848115",
              "versionType": "git"
            },
            {
              "lessThan": "3200144a2fa4209dc084a19941b9b203b43580f0",
              "status": "affected",
              "version": "af2c3834c8ca7cc65d15592ac671933df8848115",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/platform/qcom/venus/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.13"
            },
            {
              "lessThan": "4.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.297",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.149",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.103",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.44",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.297",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.241",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.149",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.103",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.44",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.4",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: venus: protect against spurious interrupts during probe\n\nMake sure the interrupt handler is initialized before the interrupt is\nregistered.\n\nIf the IRQ is registered before hfi_create(), it\u0027s possible that an\ninterrupt fires before the handler setup is complete, leading to a NULL\ndereference.\n\nThis error condition has been observed during system boot on Rb3Gen2."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:34:44.645Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/18c2b2bd982b8546312c9a7895515672169f28e0"
        },
        {
          "url": "https://git.kernel.org/stable/c/88cf63c2599761c48dec8f618d57dccf8f6f4b53"
        },
        {
          "url": "https://git.kernel.org/stable/c/9db6a78bc5e418e0064e2248c8f3b9b9e8418646"
        },
        {
          "url": "https://git.kernel.org/stable/c/37cc0ac889b018097c217c5929fd6dc2aed636a1"
        },
        {
          "url": "https://git.kernel.org/stable/c/f54be97bc69b1096198b6717c150dec69f2a1b4d"
        },
        {
          "url": "https://git.kernel.org/stable/c/639eb587f977c02423f4762467055b23902b4131"
        },
        {
          "url": "https://git.kernel.org/stable/c/e796028b4835af00d9a38ebbb208ec3a6634702a"
        },
        {
          "url": "https://git.kernel.org/stable/c/3200144a2fa4209dc084a19941b9b203b43580f0"
        }
      ],
      "title": "media: venus: protect against spurious interrupts during probe",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39709",
    "datePublished": "2025-09-05T17:21:16.153Z",
    "dateReserved": "2025-04-16T07:20:57.116Z",
    "dateUpdated": "2026-05-12T12:06:27.910Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-39710 (GCVE-0-2025-39710)

Vulnerability from cvelistv5 – Published: 2025-09-05 17:21 – Updated: 2026-05-12 12:06

Title

media: venus: Add a check for packet size after reading from shared memory

Summary

In the Linux kernel, the following vulnerability has been resolved: media: venus: Add a check for packet size after reading from shared memory Add a check to ensure that the packet size does not exceed the number of available words after reading the packet header from shared memory. This ensures that the size provided by the firmware is safe to process and prevent potential out-of-bounds memory access.

Severity

No CVSS data available.

Assigner

Linux

References

11 references

URL	Tags
https://git.kernel.org/stable/c/0520c89f6280d2b60…
https://git.kernel.org/stable/c/f5b7a943055a4a106…
https://git.kernel.org/stable/c/ef09b96665f16f3f0…
https://git.kernel.org/stable/c/7638bae4539dcebc3…
https://git.kernel.org/stable/c/ba567c2e52fbcf0e2…
https://git.kernel.org/stable/c/2d8cea8310a245730…
https://git.kernel.org/stable/c/f0cbd9386f974d310…
https://git.kernel.org/stable/c/49befc830daa743e0…
https://lists.debian.org/debian-lts-announce/2025…
https://lists.debian.org/debian-lts-announce/2025…
https://cert-portal.siemens.com/productcert/html/…

Impacted products

3 products

Vendor	Product	Version
Linux	Linux	Affected: d96d3f30c0f2f564f6922bf4ccdf4464992e31fb , < 0520c89f6280d2b60ab537d5743601185ee7d8ab (git) Affected: d96d3f30c0f2f564f6922bf4ccdf4464992e31fb , < f5b7a943055a4a106d40a03bacd940e28cc1955f (git) Affected: d96d3f30c0f2f564f6922bf4ccdf4464992e31fb , < ef09b96665f16f3f0bac4e111160e6f24f1f8791 (git) Affected: d96d3f30c0f2f564f6922bf4ccdf4464992e31fb , < 7638bae4539dcebc3f68fda74ac35d73618ec440 (git) Affected: d96d3f30c0f2f564f6922bf4ccdf4464992e31fb , < ba567c2e52fbcf0e20502746bdaa79e911c2e8cf (git) Affected: d96d3f30c0f2f564f6922bf4ccdf4464992e31fb , < 2d8cea8310a245730816a1fd0c9fa4a5a3bdc68c (git) Affected: d96d3f30c0f2f564f6922bf4ccdf4464992e31fb , < f0cbd9386f974d310a0d20a02e4a1323e95ea654 (git) Affected: d96d3f30c0f2f564f6922bf4ccdf4464992e31fb , < 49befc830daa743e051a65468c05c2ff9e8580e6 (git)
Linux	Linux	Affected: 4.13 Unaffected: 0 , < 4.13 (semver) Unaffected: 5.4.297 , ≤ 5.4.* (semver) Unaffected: 5.10.241 , ≤ 5.10.* (semver) Unaffected: 5.15.190 , ≤ 5.15.* (semver) Unaffected: 6.1.149 , ≤ 6.1.* (semver) Unaffected: 6.6.103 , ≤ 6.6.* (semver) Unaffected: 6.12.44 , ≤ 6.12.* (semver) Unaffected: 6.16.4 , ≤ 6.16.* (semver) Unaffected: 6.17 , ≤ * (original_commit_for_fix)
Siemens	SIMATIC CN 4100	Affected: 0 , < V5.0 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:42:37.345Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC CN 4100",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "V5.0",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-12T12:06:29.037Z",
          "orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
          "shortName": "siemens-SADP"
        },
        "references": [
          {
            "url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
          }
        ],
        "x_adpType": "supplier"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/platform/qcom/venus/hfi_venus.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0520c89f6280d2b60ab537d5743601185ee7d8ab",
              "status": "affected",
              "version": "d96d3f30c0f2f564f6922bf4ccdf4464992e31fb",
              "versionType": "git"
            },
            {
              "lessThan": "f5b7a943055a4a106d40a03bacd940e28cc1955f",
              "status": "affected",
              "version": "d96d3f30c0f2f564f6922bf4ccdf4464992e31fb",
              "versionType": "git"
            },
            {
              "lessThan": "ef09b96665f16f3f0bac4e111160e6f24f1f8791",
              "status": "affected",
              "version": "d96d3f30c0f2f564f6922bf4ccdf4464992e31fb",
              "versionType": "git"
            },
            {
              "lessThan": "7638bae4539dcebc3f68fda74ac35d73618ec440",
              "status": "affected",
              "version": "d96d3f30c0f2f564f6922bf4ccdf4464992e31fb",
              "versionType": "git"
            },
            {
              "lessThan": "ba567c2e52fbcf0e20502746bdaa79e911c2e8cf",
              "status": "affected",
              "version": "d96d3f30c0f2f564f6922bf4ccdf4464992e31fb",
              "versionType": "git"
            },
            {
              "lessThan": "2d8cea8310a245730816a1fd0c9fa4a5a3bdc68c",
              "status": "affected",
              "version": "d96d3f30c0f2f564f6922bf4ccdf4464992e31fb",
              "versionType": "git"
            },
            {
              "lessThan": "f0cbd9386f974d310a0d20a02e4a1323e95ea654",
              "status": "affected",
              "version": "d96d3f30c0f2f564f6922bf4ccdf4464992e31fb",
              "versionType": "git"
            },
            {
              "lessThan": "49befc830daa743e051a65468c05c2ff9e8580e6",
              "status": "affected",
              "version": "d96d3f30c0f2f564f6922bf4ccdf4464992e31fb",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/platform/qcom/venus/hfi_venus.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.13"
            },
            {
              "lessThan": "4.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.297",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.149",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.103",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.44",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.297",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.241",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.149",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.103",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.44",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.4",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: venus: Add a check for packet size after reading from shared memory\n\nAdd a check to ensure that the packet size does not exceed the number of\navailable words after reading the packet header from shared memory. This\nensures that the size provided by the firmware is safe to process and\nprevent potential out-of-bounds memory access."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:34:45.807Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0520c89f6280d2b60ab537d5743601185ee7d8ab"
        },
        {
          "url": "https://git.kernel.org/stable/c/f5b7a943055a4a106d40a03bacd940e28cc1955f"
        },
        {
          "url": "https://git.kernel.org/stable/c/ef09b96665f16f3f0bac4e111160e6f24f1f8791"
        },
        {
          "url": "https://git.kernel.org/stable/c/7638bae4539dcebc3f68fda74ac35d73618ec440"
        },
        {
          "url": "https://git.kernel.org/stable/c/ba567c2e52fbcf0e20502746bdaa79e911c2e8cf"
        },
        {
          "url": "https://git.kernel.org/stable/c/2d8cea8310a245730816a1fd0c9fa4a5a3bdc68c"
        },
        {
          "url": "https://git.kernel.org/stable/c/f0cbd9386f974d310a0d20a02e4a1323e95ea654"
        },
        {
          "url": "https://git.kernel.org/stable/c/49befc830daa743e051a65468c05c2ff9e8580e6"
        }
      ],
      "title": "media: venus: Add a check for packet size after reading from shared memory",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39710",
    "datePublished": "2025-09-05T17:21:17.243Z",
    "dateReserved": "2025-04-16T07:20:57.116Z",
    "dateUpdated": "2026-05-12T12:06:29.037Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-39711 (GCVE-0-2025-39711)

Vulnerability from cvelistv5 – Published: 2025-09-05 17:21 – Updated: 2026-05-11 21:34

Title

media: ivsc: Fix crash at shutdown due to missing mei_cldev_disable() calls

Summary

In the Linux kernel, the following vulnerability has been resolved: media: ivsc: Fix crash at shutdown due to missing mei_cldev_disable() calls Both the ACE and CSI driver are missing a mei_cldev_disable() call in their remove() function. This causes the mei_cl client to stay part of the mei_device->file_list list even though its memory is freed by mei_cl_bus_dev_release() calling kfree(cldev->cl). This leads to a use-after-free when mei_vsc_remove() runs mei_stop() which first removes all mei bus devices calling mei_ace_remove() and mei_csi_remove() followed by mei_cl_bus_dev_release() and then calls mei_cl_all_disconnect() which walks over mei_device->file_list dereferecing the just freed cldev->cl. And mei_vsc_remove() it self is run at shutdown because of the platform_device_unregister(tp->pdev) in vsc_tp_shutdown() When building a kernel with KASAN this leads to the following KASAN report: [ 106.634504] ================================================================== [ 106.634623] BUG: KASAN: slab-use-after-free in mei_cl_set_disconnected (drivers/misc/mei/client.c:783) mei [ 106.634683] Read of size 4 at addr ffff88819cb62018 by task systemd-shutdow/1 [ 106.634729] [ 106.634767] Tainted: [E]=UNSIGNED_MODULE [ 106.634770] Hardware name: Dell Inc. XPS 16 9640/09CK4V, BIOS 1.12.0 02/10/2025 [ 106.634773] Call Trace: [ 106.634777] <TASK> ... [ 106.634871] kasan_report (mm/kasan/report.c:221 mm/kasan/report.c:636) [ 106.634901] mei_cl_set_disconnected (drivers/misc/mei/client.c:783) mei [ 106.634921] mei_cl_all_disconnect (drivers/misc/mei/client.c:2165 (discriminator 4)) mei [ 106.634941] mei_reset (drivers/misc/mei/init.c:163) mei ... [ 106.635042] mei_stop (drivers/misc/mei/init.c:348) mei [ 106.635062] mei_vsc_remove (drivers/misc/mei/mei_dev.h:784 drivers/misc/mei/platform-vsc.c:393) mei_vsc [ 106.635066] platform_remove (drivers/base/platform.c:1424) Add the missing mei_cldev_disable() calls so that the mei_cl gets removed from mei_device->file_list before it is freed to fix this.

Severity

No CVSS data available.

Assigner

Linux

References

4 references

URL	Tags
https://git.kernel.org/stable/c/3c0e4cc4f55f9a1db…
https://git.kernel.org/stable/c/639f5b33fcd7c5915…
https://git.kernel.org/stable/c/1dfe73394dcfc9b04…
https://git.kernel.org/stable/c/0c92c49fc688cfada…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 29006e196a5661d9afc8152fa2bf8a5347ac17b4 , < 3c0e4cc4f55f9a1db2a761e4ffb27c9594245888 (git) Affected: 29006e196a5661d9afc8152fa2bf8a5347ac17b4 , < 639f5b33fcd7c59157f29b09f6f2866eacf9279c (git) Affected: 29006e196a5661d9afc8152fa2bf8a5347ac17b4 , < 1dfe73394dcfc9b049c8da0dc181c45f156a5f49 (git) Affected: 29006e196a5661d9afc8152fa2bf8a5347ac17b4 , < 0c92c49fc688cfadacc47ae99b06a31237702e9e (git)
Linux	Linux	Affected: 6.6 Unaffected: 0 , < 6.6 (semver) Unaffected: 6.6.103 , ≤ 6.6.* (semver) Unaffected: 6.12.44 , ≤ 6.12.* (semver) Unaffected: 6.16.4 , ≤ 6.16.* (semver) Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/pci/intel/ivsc/mei_ace.c",
            "drivers/media/pci/intel/ivsc/mei_csi.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3c0e4cc4f55f9a1db2a761e4ffb27c9594245888",
              "status": "affected",
              "version": "29006e196a5661d9afc8152fa2bf8a5347ac17b4",
              "versionType": "git"
            },
            {
              "lessThan": "639f5b33fcd7c59157f29b09f6f2866eacf9279c",
              "status": "affected",
              "version": "29006e196a5661d9afc8152fa2bf8a5347ac17b4",
              "versionType": "git"
            },
            {
              "lessThan": "1dfe73394dcfc9b049c8da0dc181c45f156a5f49",
              "status": "affected",
              "version": "29006e196a5661d9afc8152fa2bf8a5347ac17b4",
              "versionType": "git"
            },
            {
              "lessThan": "0c92c49fc688cfadacc47ae99b06a31237702e9e",
              "status": "affected",
              "version": "29006e196a5661d9afc8152fa2bf8a5347ac17b4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/pci/intel/ivsc/mei_ace.c",
            "drivers/media/pci/intel/ivsc/mei_csi.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.6"
            },
            {
              "lessThan": "6.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.103",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.44",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.103",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.44",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.4",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: ivsc: Fix crash at shutdown due to missing mei_cldev_disable() calls\n\nBoth the ACE and CSI driver are missing a mei_cldev_disable() call in\ntheir remove() function.\n\nThis causes the mei_cl client to stay part of the mei_device-\u003efile_list\nlist even though its memory is freed by mei_cl_bus_dev_release() calling\nkfree(cldev-\u003ecl).\n\nThis leads to a use-after-free when mei_vsc_remove() runs mei_stop()\nwhich first removes all mei bus devices calling mei_ace_remove() and\nmei_csi_remove() followed by mei_cl_bus_dev_release() and then calls\nmei_cl_all_disconnect() which walks over mei_device-\u003efile_list dereferecing\nthe just freed cldev-\u003ecl.\n\nAnd mei_vsc_remove() it self is run at shutdown because of the\nplatform_device_unregister(tp-\u003epdev) in vsc_tp_shutdown()\n\nWhen building a kernel with KASAN this leads to the following KASAN report:\n\n[ 106.634504] ==================================================================\n[ 106.634623] BUG: KASAN: slab-use-after-free in mei_cl_set_disconnected (drivers/misc/mei/client.c:783) mei\n[ 106.634683] Read of size 4 at addr ffff88819cb62018 by task systemd-shutdow/1\n[ 106.634729]\n[ 106.634767] Tainted: [E]=UNSIGNED_MODULE\n[ 106.634770] Hardware name: Dell Inc. XPS 16 9640/09CK4V, BIOS 1.12.0 02/10/2025\n[ 106.634773] Call Trace:\n[ 106.634777]  \u003cTASK\u003e\n...\n[ 106.634871] kasan_report (mm/kasan/report.c:221 mm/kasan/report.c:636)\n[ 106.634901] mei_cl_set_disconnected (drivers/misc/mei/client.c:783) mei\n[ 106.634921] mei_cl_all_disconnect (drivers/misc/mei/client.c:2165 (discriminator 4)) mei\n[ 106.634941] mei_reset (drivers/misc/mei/init.c:163) mei\n...\n[ 106.635042] mei_stop (drivers/misc/mei/init.c:348) mei\n[ 106.635062] mei_vsc_remove (drivers/misc/mei/mei_dev.h:784 drivers/misc/mei/platform-vsc.c:393) mei_vsc\n[ 106.635066] platform_remove (drivers/base/platform.c:1424)\n\nAdd the missing mei_cldev_disable() calls so that the mei_cl gets removed\nfrom mei_device-\u003efile_list before it is freed to fix this."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:34:46.985Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3c0e4cc4f55f9a1db2a761e4ffb27c9594245888"
        },
        {
          "url": "https://git.kernel.org/stable/c/639f5b33fcd7c59157f29b09f6f2866eacf9279c"
        },
        {
          "url": "https://git.kernel.org/stable/c/1dfe73394dcfc9b049c8da0dc181c45f156a5f49"
        },
        {
          "url": "https://git.kernel.org/stable/c/0c92c49fc688cfadacc47ae99b06a31237702e9e"
        }
      ],
      "title": "media: ivsc: Fix crash at shutdown due to missing mei_cldev_disable() calls",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39711",
    "datePublished": "2025-09-05T17:21:18.348Z",
    "dateReserved": "2025-04-16T07:20:57.116Z",
    "dateUpdated": "2026-05-11T21:34:46.985Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-39712 (GCVE-0-2025-39712)

Vulnerability from cvelistv5 – Published: 2025-09-05 17:21 – Updated: 2026-05-11 21:34

Title

media: mt9m114: Fix deadlock in get_frame_interval/set_frame_interval

Summary

In the Linux kernel, the following vulnerability has been resolved: media: mt9m114: Fix deadlock in get_frame_interval/set_frame_interval Getting / Setting the frame interval using the V4L2 subdev pad ops get_frame_interval/set_frame_interval causes a deadlock, as the subdev state is locked in the [1] but also in the driver itself. In [2] it's described that the caller is responsible to acquire and release the lock in this case. Therefore, acquiring the lock in the driver is wrong. Remove the lock acquisitions/releases from mt9m114_ifp_get_frame_interval() and mt9m114_ifp_set_frame_interval(). [1] drivers/media/v4l2-core/v4l2-subdev.c - line 1129 [2] Documentation/driver-api/media/v4l2-subdev.rst

Severity

No CVSS data available.

Assigner

Linux

References

3 references

URL	Tags
https://git.kernel.org/stable/c/0d23b548d71e5d769…
https://git.kernel.org/stable/c/41b97490a1656bdc7…
https://git.kernel.org/stable/c/298d1471cf83d5a2a…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 24d756e914fc3418bad7897b0657aefa9ef848e8 , < 0d23b548d71e5d76955fdf1d73addd8f6494f602 (git) Affected: 24d756e914fc3418bad7897b0657aefa9ef848e8 , < 41b97490a1656bdc7038d6345a84b08d45deafc6 (git) Affected: 24d756e914fc3418bad7897b0657aefa9ef848e8 , < 298d1471cf83d5a2a05970e41822a2403f451086 (git)
Linux	Linux	Affected: 6.7 Unaffected: 0 , < 6.7 (semver) Unaffected: 6.12.44 , ≤ 6.12.* (semver) Unaffected: 6.16.4 , ≤ 6.16.* (semver) Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/i2c/mt9m114.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0d23b548d71e5d76955fdf1d73addd8f6494f602",
              "status": "affected",
              "version": "24d756e914fc3418bad7897b0657aefa9ef848e8",
              "versionType": "git"
            },
            {
              "lessThan": "41b97490a1656bdc7038d6345a84b08d45deafc6",
              "status": "affected",
              "version": "24d756e914fc3418bad7897b0657aefa9ef848e8",
              "versionType": "git"
            },
            {
              "lessThan": "298d1471cf83d5a2a05970e41822a2403f451086",
              "status": "affected",
              "version": "24d756e914fc3418bad7897b0657aefa9ef848e8",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/i2c/mt9m114.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.7"
            },
            {
              "lessThan": "6.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.44",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.44",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.4",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mt9m114: Fix deadlock in get_frame_interval/set_frame_interval\n\nGetting / Setting the frame interval using the V4L2 subdev pad ops\nget_frame_interval/set_frame_interval causes a deadlock, as the\nsubdev state is locked in the [1] but also in the driver itself.\n\nIn [2] it\u0027s described that the caller is responsible to acquire and\nrelease the lock in this case. Therefore, acquiring the lock in the\ndriver is wrong.\n\nRemove the lock acquisitions/releases from mt9m114_ifp_get_frame_interval()\nand mt9m114_ifp_set_frame_interval().\n\n[1] drivers/media/v4l2-core/v4l2-subdev.c - line 1129\n[2] Documentation/driver-api/media/v4l2-subdev.rst"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:34:48.122Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0d23b548d71e5d76955fdf1d73addd8f6494f602"
        },
        {
          "url": "https://git.kernel.org/stable/c/41b97490a1656bdc7038d6345a84b08d45deafc6"
        },
        {
          "url": "https://git.kernel.org/stable/c/298d1471cf83d5a2a05970e41822a2403f451086"
        }
      ],
      "title": "media: mt9m114: Fix deadlock in get_frame_interval/set_frame_interval",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39712",
    "datePublished": "2025-09-05T17:21:19.494Z",
    "dateReserved": "2025-04-16T07:20:57.116Z",
    "dateUpdated": "2026-05-11T21:34:48.122Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-39713 (GCVE-0-2025-39713)

Vulnerability from cvelistv5 – Published: 2025-09-05 17:21 – Updated: 2026-05-12 12:06

Title

media: rainshadow-cec: fix TOCTOU race condition in rain_interrupt()

Summary

In the Linux kernel, the following vulnerability has been resolved: media: rainshadow-cec: fix TOCTOU race condition in rain_interrupt() In the interrupt handler rain_interrupt(), the buffer full check on rain->buf_len is performed before acquiring rain->buf_lock. This creates a Time-of-Check to Time-of-Use (TOCTOU) race condition, as rain->buf_len is concurrently accessed and modified in the work handler rain_irq_work_handler() under the same lock. Multiple interrupt invocations can race, with each reading buf_len before it becomes full and then proceeding. This can lead to both interrupts attempting to write to the buffer, incrementing buf_len beyond its capacity (DATA_SIZE) and causing a buffer overflow. Fix this bug by moving the spin_lock() to before the buffer full check. This ensures that the check and the subsequent buffer modification are performed atomically, preventing the race condition. An corresponding spin_unlock() is added to the overflow path to correctly release the lock. This possible bug was found by an experimental static analysis tool developed by our team.

Severity

No CVSS data available.

Assigner

Linux

References

11 references

URL	Tags
https://git.kernel.org/stable/c/2964dbe631fd21ad7…
https://git.kernel.org/stable/c/6aaef1a75985865d8…
https://git.kernel.org/stable/c/fbc81e78d75bf2897…
https://git.kernel.org/stable/c/3c3e33b7edca7a2d6…
https://git.kernel.org/stable/c/1c2769dc802558245…
https://git.kernel.org/stable/c/ed905fe7cba03cf22…
https://git.kernel.org/stable/c/ff9dd3db6cd4c6b54…
https://git.kernel.org/stable/c/7af160aea26c7dc9e…
https://lists.debian.org/debian-lts-announce/2025…
https://lists.debian.org/debian-lts-announce/2025…
https://cert-portal.siemens.com/productcert/html/…

Impacted products

3 products

Vendor	Product	Version
Linux	Linux	Affected: 0f314f6c2e77beb1a232be21dd6be4e1849ba5ac , < 2964dbe631fd21ad7873b1752b895548d3c12496 (git) Affected: 0f314f6c2e77beb1a232be21dd6be4e1849ba5ac , < 6aaef1a75985865d8c6c5b65fb54152060faba48 (git) Affected: 0f314f6c2e77beb1a232be21dd6be4e1849ba5ac , < fbc81e78d75bf28972bc22b1599559557b1a1b83 (git) Affected: 0f314f6c2e77beb1a232be21dd6be4e1849ba5ac , < 3c3e33b7edca7a2d6a96801f287f9faeb684d655 (git) Affected: 0f314f6c2e77beb1a232be21dd6be4e1849ba5ac , < 1c2769dc80255824542ea5a4ff1a07dcdeb1603f (git) Affected: 0f314f6c2e77beb1a232be21dd6be4e1849ba5ac , < ed905fe7cba03cf22ae0b84cf1b73cd1c070423a (git) Affected: 0f314f6c2e77beb1a232be21dd6be4e1849ba5ac , < ff9dd3db6cd4c6b54a2ecbc58151bea4ec63bc59 (git) Affected: 0f314f6c2e77beb1a232be21dd6be4e1849ba5ac , < 7af160aea26c7dc9e6734d19306128cce156ec40 (git)
Linux	Linux	Affected: 4.12 Unaffected: 0 , < 4.12 (semver) Unaffected: 5.4.297 , ≤ 5.4.* (semver) Unaffected: 5.10.241 , ≤ 5.10.* (semver) Unaffected: 5.15.190 , ≤ 5.15.* (semver) Unaffected: 6.1.149 , ≤ 6.1.* (semver) Unaffected: 6.6.103 , ≤ 6.6.* (semver) Unaffected: 6.12.44 , ≤ 6.12.* (semver) Unaffected: 6.16.4 , ≤ 6.16.* (semver) Unaffected: 6.17 , ≤ * (original_commit_for_fix)
Siemens	SIMATIC CN 4100	Affected: 0 , < V5.0 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:42:39.229Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC CN 4100",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "V5.0",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-12T12:06:30.232Z",
          "orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
          "shortName": "siemens-SADP"
        },
        "references": [
          {
            "url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
          }
        ],
        "x_adpType": "supplier"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/cec/usb/rainshadow/rainshadow-cec.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "2964dbe631fd21ad7873b1752b895548d3c12496",
              "status": "affected",
              "version": "0f314f6c2e77beb1a232be21dd6be4e1849ba5ac",
              "versionType": "git"
            },
            {
              "lessThan": "6aaef1a75985865d8c6c5b65fb54152060faba48",
              "status": "affected",
              "version": "0f314f6c2e77beb1a232be21dd6be4e1849ba5ac",
              "versionType": "git"
            },
            {
              "lessThan": "fbc81e78d75bf28972bc22b1599559557b1a1b83",
              "status": "affected",
              "version": "0f314f6c2e77beb1a232be21dd6be4e1849ba5ac",
              "versionType": "git"
            },
            {
              "lessThan": "3c3e33b7edca7a2d6a96801f287f9faeb684d655",
              "status": "affected",
              "version": "0f314f6c2e77beb1a232be21dd6be4e1849ba5ac",
              "versionType": "git"
            },
            {
              "lessThan": "1c2769dc80255824542ea5a4ff1a07dcdeb1603f",
              "status": "affected",
              "version": "0f314f6c2e77beb1a232be21dd6be4e1849ba5ac",
              "versionType": "git"
            },
            {
              "lessThan": "ed905fe7cba03cf22ae0b84cf1b73cd1c070423a",
              "status": "affected",
              "version": "0f314f6c2e77beb1a232be21dd6be4e1849ba5ac",
              "versionType": "git"
            },
            {
              "lessThan": "ff9dd3db6cd4c6b54a2ecbc58151bea4ec63bc59",
              "status": "affected",
              "version": "0f314f6c2e77beb1a232be21dd6be4e1849ba5ac",
              "versionType": "git"
            },
            {
              "lessThan": "7af160aea26c7dc9e6734d19306128cce156ec40",
              "status": "affected",
              "version": "0f314f6c2e77beb1a232be21dd6be4e1849ba5ac",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/cec/usb/rainshadow/rainshadow-cec.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.12"
            },
            {
              "lessThan": "4.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.297",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.149",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.103",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.44",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.297",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.241",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.149",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.103",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.44",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.4",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: rainshadow-cec: fix TOCTOU race condition in rain_interrupt()\n\nIn the interrupt handler rain_interrupt(), the buffer full check on\nrain-\u003ebuf_len is performed before acquiring rain-\u003ebuf_lock. This\ncreates a Time-of-Check to Time-of-Use (TOCTOU) race condition, as\nrain-\u003ebuf_len is concurrently accessed and modified in the work\nhandler rain_irq_work_handler() under the same lock.\n\nMultiple interrupt invocations can race, with each reading buf_len\nbefore it becomes full and then proceeding. This can lead to both\ninterrupts attempting to write to the buffer, incrementing buf_len\nbeyond its capacity (DATA_SIZE) and causing a buffer overflow.\n\nFix this bug by moving the spin_lock() to before the buffer full\ncheck. This ensures that the check and the subsequent buffer modification\nare performed atomically, preventing the race condition. An corresponding\nspin_unlock() is added to the overflow path to correctly release the\nlock.\n\nThis possible bug was found by an experimental static analysis tool\ndeveloped by our team."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:34:49.278Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/2964dbe631fd21ad7873b1752b895548d3c12496"
        },
        {
          "url": "https://git.kernel.org/stable/c/6aaef1a75985865d8c6c5b65fb54152060faba48"
        },
        {
          "url": "https://git.kernel.org/stable/c/fbc81e78d75bf28972bc22b1599559557b1a1b83"
        },
        {
          "url": "https://git.kernel.org/stable/c/3c3e33b7edca7a2d6a96801f287f9faeb684d655"
        },
        {
          "url": "https://git.kernel.org/stable/c/1c2769dc80255824542ea5a4ff1a07dcdeb1603f"
        },
        {
          "url": "https://git.kernel.org/stable/c/ed905fe7cba03cf22ae0b84cf1b73cd1c070423a"
        },
        {
          "url": "https://git.kernel.org/stable/c/ff9dd3db6cd4c6b54a2ecbc58151bea4ec63bc59"
        },
        {
          "url": "https://git.kernel.org/stable/c/7af160aea26c7dc9e6734d19306128cce156ec40"
        }
      ],
      "title": "media: rainshadow-cec: fix TOCTOU race condition in rain_interrupt()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39713",
    "datePublished": "2025-09-05T17:21:20.459Z",
    "dateReserved": "2025-04-16T07:20:57.116Z",
    "dateUpdated": "2026-05-12T12:06:30.232Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-39714 (GCVE-0-2025-39714)

Vulnerability from cvelistv5 – Published: 2025-09-05 17:21 – Updated: 2026-05-12 12:06

Title

media: usbtv: Lock resolution while streaming

Summary

In the Linux kernel, the following vulnerability has been resolved: media: usbtv: Lock resolution while streaming When an program is streaming (ffplay) and another program (qv4l2) changes the TV standard from NTSC to PAL, the kernel crashes due to trying to copy to unmapped memory. Changing from NTSC to PAL increases the resolution in the usbtv struct, but the video plane buffer isn't adjusted, so it overflows. [hverkuil: call vb2_is_busy instead of vb2_is_streaming]

Severity

No CVSS data available.

Assigner

Linux

References

11 references

URL	Tags
https://git.kernel.org/stable/c/c35e7c7a004ef379a…
https://git.kernel.org/stable/c/ee7bade8b92448342…
https://git.kernel.org/stable/c/5427dda195d6baf23…
https://git.kernel.org/stable/c/ef9b3c22405192afa…
https://git.kernel.org/stable/c/3d83d0b5ae5045a7a…
https://git.kernel.org/stable/c/c3d75524e10021aa5…
https://git.kernel.org/stable/c/9f886d21e235c4bd0…
https://git.kernel.org/stable/c/7e40e0bb778907b24…
https://lists.debian.org/debian-lts-announce/2025…
https://lists.debian.org/debian-lts-announce/2025…
https://cert-portal.siemens.com/productcert/html/…

Impacted products

3 products

Vendor	Product	Version
Linux	Linux	Affected: 0e0fe3958fdd13dbf55c3a787acafde6efd04272 , < c35e7c7a004ef379a1ae7c7486d4829419acad1d (git) Affected: 0e0fe3958fdd13dbf55c3a787acafde6efd04272 , < ee7bade8b9244834229b12b6e1e724939bedd484 (git) Affected: 0e0fe3958fdd13dbf55c3a787acafde6efd04272 , < 5427dda195d6baf23028196fd55a0c90f66ffa61 (git) Affected: 0e0fe3958fdd13dbf55c3a787acafde6efd04272 , < ef9b3c22405192afaa279077ddd45a51db90b83d (git) Affected: 0e0fe3958fdd13dbf55c3a787acafde6efd04272 , < 3d83d0b5ae5045a7a246ed116b5f6c688a12f9e9 (git) Affected: 0e0fe3958fdd13dbf55c3a787acafde6efd04272 , < c3d75524e10021aa5c223d94da4996640aed46c0 (git) Affected: 0e0fe3958fdd13dbf55c3a787acafde6efd04272 , < 9f886d21e235c4bd038cb20f6696084304197ab3 (git) Affected: 0e0fe3958fdd13dbf55c3a787acafde6efd04272 , < 7e40e0bb778907b2441bff68d73c3eb6b6cd319f (git)
Linux	Linux	Affected: 3.14 Unaffected: 0 , < 3.14 (semver) Unaffected: 5.4.297 , ≤ 5.4.* (semver) Unaffected: 5.10.241 , ≤ 5.10.* (semver) Unaffected: 5.15.190 , ≤ 5.15.* (semver) Unaffected: 6.1.149 , ≤ 6.1.* (semver) Unaffected: 6.6.103 , ≤ 6.6.* (semver) Unaffected: 6.12.44 , ≤ 6.12.* (semver) Unaffected: 6.16.4 , ≤ 6.16.* (semver) Unaffected: 6.17 , ≤ * (original_commit_for_fix)
Siemens	SIMATIC CN 4100	Affected: 0 , < V5.0 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:42:41.101Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC CN 4100",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "V5.0",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-12T12:06:31.361Z",
          "orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
          "shortName": "siemens-SADP"
        },
        "references": [
          {
            "url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
          }
        ],
        "x_adpType": "supplier"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/usb/usbtv/usbtv-video.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c35e7c7a004ef379a1ae7c7486d4829419acad1d",
              "status": "affected",
              "version": "0e0fe3958fdd13dbf55c3a787acafde6efd04272",
              "versionType": "git"
            },
            {
              "lessThan": "ee7bade8b9244834229b12b6e1e724939bedd484",
              "status": "affected",
              "version": "0e0fe3958fdd13dbf55c3a787acafde6efd04272",
              "versionType": "git"
            },
            {
              "lessThan": "5427dda195d6baf23028196fd55a0c90f66ffa61",
              "status": "affected",
              "version": "0e0fe3958fdd13dbf55c3a787acafde6efd04272",
              "versionType": "git"
            },
            {
              "lessThan": "ef9b3c22405192afaa279077ddd45a51db90b83d",
              "status": "affected",
              "version": "0e0fe3958fdd13dbf55c3a787acafde6efd04272",
              "versionType": "git"
            },
            {
              "lessThan": "3d83d0b5ae5045a7a246ed116b5f6c688a12f9e9",
              "status": "affected",
              "version": "0e0fe3958fdd13dbf55c3a787acafde6efd04272",
              "versionType": "git"
            },
            {
              "lessThan": "c3d75524e10021aa5c223d94da4996640aed46c0",
              "status": "affected",
              "version": "0e0fe3958fdd13dbf55c3a787acafde6efd04272",
              "versionType": "git"
            },
            {
              "lessThan": "9f886d21e235c4bd038cb20f6696084304197ab3",
              "status": "affected",
              "version": "0e0fe3958fdd13dbf55c3a787acafde6efd04272",
              "versionType": "git"
            },
            {
              "lessThan": "7e40e0bb778907b2441bff68d73c3eb6b6cd319f",
              "status": "affected",
              "version": "0e0fe3958fdd13dbf55c3a787acafde6efd04272",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/usb/usbtv/usbtv-video.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.14"
            },
            {
              "lessThan": "3.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.297",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.149",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.103",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.44",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.297",
                  "versionStartIncluding": "3.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.241",
                  "versionStartIncluding": "3.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "3.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.149",
                  "versionStartIncluding": "3.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.103",
                  "versionStartIncluding": "3.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.44",
                  "versionStartIncluding": "3.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.4",
                  "versionStartIncluding": "3.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "3.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: usbtv: Lock resolution while streaming\n\nWhen an program is streaming (ffplay) and another program (qv4l2)\nchanges the TV standard from NTSC to PAL, the kernel crashes due to trying\nto copy to unmapped memory.\n\nChanging from NTSC to PAL increases the resolution in the usbtv struct,\nbut the video plane buffer isn\u0027t adjusted, so it overflows.\n\n[hverkuil: call vb2_is_busy instead of vb2_is_streaming]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:34:50.505Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c35e7c7a004ef379a1ae7c7486d4829419acad1d"
        },
        {
          "url": "https://git.kernel.org/stable/c/ee7bade8b9244834229b12b6e1e724939bedd484"
        },
        {
          "url": "https://git.kernel.org/stable/c/5427dda195d6baf23028196fd55a0c90f66ffa61"
        },
        {
          "url": "https://git.kernel.org/stable/c/ef9b3c22405192afaa279077ddd45a51db90b83d"
        },
        {
          "url": "https://git.kernel.org/stable/c/3d83d0b5ae5045a7a246ed116b5f6c688a12f9e9"
        },
        {
          "url": "https://git.kernel.org/stable/c/c3d75524e10021aa5c223d94da4996640aed46c0"
        },
        {
          "url": "https://git.kernel.org/stable/c/9f886d21e235c4bd038cb20f6696084304197ab3"
        },
        {
          "url": "https://git.kernel.org/stable/c/7e40e0bb778907b2441bff68d73c3eb6b6cd319f"
        }
      ],
      "title": "media: usbtv: Lock resolution while streaming",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39714",
    "datePublished": "2025-09-05T17:21:21.435Z",
    "dateReserved": "2025-04-16T07:20:57.117Z",
    "dateUpdated": "2026-05-12T12:06:31.361Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-39715 (GCVE-0-2025-39715)

Vulnerability from cvelistv5 – Published: 2025-09-05 17:21 – Updated: 2026-05-12 12:06

Title

parisc: Revise gateway LWS calls to probe user read access

Summary

In the Linux kernel, the following vulnerability has been resolved: parisc: Revise gateway LWS calls to probe user read access We use load and stbys,e instructions to trigger memory reference interruptions without writing to memory. Because of the way read access support is implemented, read access interruptions are only triggered at privilege levels 2 and 3. The kernel and gateway page execute at privilege level 0, so this code never triggers a read access interruption. Thus, it is currently possible for user code to execute a LWS compare and swap operation at an address that is read protected at privilege level 3 (PRIV_USER). Fix this by probing read access rights at privilege level 3 and branching to lws_fault if access isn't allowed.

Severity

No CVSS data available.

Assigner

Linux

References

7 references

URL	Tags
https://git.kernel.org/stable/c/e8b496c52aa0c6572…
https://git.kernel.org/stable/c/8bccf47adbf658293…
https://git.kernel.org/stable/c/bc0a24c24ceebabb5…
https://git.kernel.org/stable/c/9b6af875baba9c467…
https://git.kernel.org/stable/c/f6334f4ae9a4e962b…
https://lists.debian.org/debian-lts-announce/2025…
https://cert-portal.siemens.com/productcert/html/…

Impacted products

3 products

Vendor	Product	Version
Linux	Linux	Affected: d0585d742ff2d82accd26c661c60a6d260429c4a , < e8b496c52aa0c6572d88db7cab85aeea6f9c194d (git) Affected: d0585d742ff2d82accd26c661c60a6d260429c4a , < 8bccf47adbf658293528e86960e6d6f736b1c9f7 (git) Affected: d0585d742ff2d82accd26c661c60a6d260429c4a , < bc0a24c24ceebabb5ba65900e332233d79e625e6 (git) Affected: d0585d742ff2d82accd26c661c60a6d260429c4a , < 9b6af875baba9c4679b55f4561e201485451305f (git) Affected: d0585d742ff2d82accd26c661c60a6d260429c4a , < f6334f4ae9a4e962ba74b026e1d965dfdf8cbef8 (git)
Linux	Linux	Affected: 5.17 Unaffected: 0 , < 5.17 (semver) Unaffected: 6.1.149 , ≤ 6.1.* (semver) Unaffected: 6.6.103 , ≤ 6.6.* (semver) Unaffected: 6.12.44 , ≤ 6.12.* (semver) Unaffected: 6.16.4 , ≤ 6.16.* (semver) Unaffected: 6.17 , ≤ * (original_commit_for_fix)
Siemens	SIMATIC CN 4100	Affected: 0 , < V5.0 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:42:42.036Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC CN 4100",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "V5.0",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-12T12:06:32.491Z",
          "orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
          "shortName": "siemens-SADP"
        },
        "references": [
          {
            "url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
          }
        ],
        "x_adpType": "supplier"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/parisc/kernel/syscall.S"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e8b496c52aa0c6572d88db7cab85aeea6f9c194d",
              "status": "affected",
              "version": "d0585d742ff2d82accd26c661c60a6d260429c4a",
              "versionType": "git"
            },
            {
              "lessThan": "8bccf47adbf658293528e86960e6d6f736b1c9f7",
              "status": "affected",
              "version": "d0585d742ff2d82accd26c661c60a6d260429c4a",
              "versionType": "git"
            },
            {
              "lessThan": "bc0a24c24ceebabb5ba65900e332233d79e625e6",
              "status": "affected",
              "version": "d0585d742ff2d82accd26c661c60a6d260429c4a",
              "versionType": "git"
            },
            {
              "lessThan": "9b6af875baba9c4679b55f4561e201485451305f",
              "status": "affected",
              "version": "d0585d742ff2d82accd26c661c60a6d260429c4a",
              "versionType": "git"
            },
            {
              "lessThan": "f6334f4ae9a4e962ba74b026e1d965dfdf8cbef8",
              "status": "affected",
              "version": "d0585d742ff2d82accd26c661c60a6d260429c4a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/parisc/kernel/syscall.S"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.17"
            },
            {
              "lessThan": "5.17",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.149",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.103",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.44",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.149",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.103",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.44",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.4",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nparisc: Revise gateway LWS calls to probe user read access\n\nWe use load and stbys,e instructions to trigger memory reference\ninterruptions without writing to memory. Because of the way read\naccess support is implemented, read access interruptions are only\ntriggered at privilege levels 2 and 3. The kernel and gateway\npage execute at privilege level 0, so this code never triggers\na read access interruption. Thus, it is currently possible for\nuser code to execute a LWS compare and swap operation at an\naddress that is read protected at privilege level 3 (PRIV_USER).\n\nFix this by probing read access rights at privilege level 3 and\nbranching to lws_fault if access isn\u0027t allowed."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:34:51.694Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e8b496c52aa0c6572d88db7cab85aeea6f9c194d"
        },
        {
          "url": "https://git.kernel.org/stable/c/8bccf47adbf658293528e86960e6d6f736b1c9f7"
        },
        {
          "url": "https://git.kernel.org/stable/c/bc0a24c24ceebabb5ba65900e332233d79e625e6"
        },
        {
          "url": "https://git.kernel.org/stable/c/9b6af875baba9c4679b55f4561e201485451305f"
        },
        {
          "url": "https://git.kernel.org/stable/c/f6334f4ae9a4e962ba74b026e1d965dfdf8cbef8"
        }
      ],
      "title": "parisc: Revise gateway LWS calls to probe user read access",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39715",
    "datePublished": "2025-09-05T17:21:22.330Z",
    "dateReserved": "2025-04-16T07:20:57.117Z",
    "dateUpdated": "2026-05-12T12:06:32.491Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-39716 (GCVE-0-2025-39716)

Vulnerability from cvelistv5 – Published: 2025-09-05 17:21 – Updated: 2026-05-12 12:06

Title

parisc: Revise __get_user() to probe user read access

Summary

In the Linux kernel, the following vulnerability has been resolved: parisc: Revise __get_user() to probe user read access Because of the way read access support is implemented, read access interruptions are only triggered at privilege levels 2 and 3. The kernel executes at privilege level 0, so __get_user() never triggers a read access interruption (code 26). Thus, it is currently possible for user code to access a read protected address via a system call. Fix this by probing read access rights at privilege level 3 (PRIV_USER) and setting __gu_err to -EFAULT (-14) if access isn't allowed. Note the cmpiclr instruction does a 32-bit compare because COND macro doesn't work inside asm.

Severity

No CVSS data available.

Assigner

Linux

References

7 references

URL	Tags
https://git.kernel.org/stable/c/28a9b71671fb4a299…
https://git.kernel.org/stable/c/4c981077255acc2ed…
https://git.kernel.org/stable/c/f410ef9a032caf981…
https://git.kernel.org/stable/c/741b163e440683195…
https://git.kernel.org/stable/c/89f686a0fb6e473a8…
https://lists.debian.org/debian-lts-announce/2025…
https://cert-portal.siemens.com/productcert/html/…

Impacted products

3 products

Vendor	Product	Version
Linux	Linux	Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 28a9b71671fb4a2993ef85b8ef6f117ea63894fe (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 4c981077255acc2ed5b3df6e8dd0125c81b626a9 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f410ef9a032caf98117256b22139c31342d7bb06 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 741b163e440683195b8fd4fc8495fcd0105c6ab7 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 89f686a0fb6e473a876a9a60a13aec67a62b9a7e (git)
Linux	Linux	Affected: 2.6.12 Unaffected: 0 , < 2.6.12 (semver) Unaffected: 6.1.149 , ≤ 6.1.* (semver) Unaffected: 6.6.103 , ≤ 6.6.* (semver) Unaffected: 6.12.44 , ≤ 6.12.* (semver) Unaffected: 6.16.4 , ≤ 6.16.* (semver) Unaffected: 6.17 , ≤ * (original_commit_for_fix)
Siemens	SIMATIC CN 4100	Affected: 0 , < V5.0 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:42:43.013Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC CN 4100",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "V5.0",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-12T12:06:33.619Z",
          "orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
          "shortName": "siemens-SADP"
        },
        "references": [
          {
            "url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
          }
        ],
        "x_adpType": "supplier"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/parisc/include/asm/uaccess.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "28a9b71671fb4a2993ef85b8ef6f117ea63894fe",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "4c981077255acc2ed5b3df6e8dd0125c81b626a9",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "f410ef9a032caf98117256b22139c31342d7bb06",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "741b163e440683195b8fd4fc8495fcd0105c6ab7",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "89f686a0fb6e473a876a9a60a13aec67a62b9a7e",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/parisc/include/asm/uaccess.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.149",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.103",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.44",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.149",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.103",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.44",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.4",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nparisc: Revise __get_user() to probe user read access\n\nBecause of the way read access support is implemented, read access\ninterruptions are only triggered at privilege levels 2 and 3. The\nkernel executes at privilege level 0, so __get_user() never triggers\na read access interruption (code 26). Thus, it is currently possible\nfor user code to access a read protected address via a system call.\n\nFix this by probing read access rights at privilege level 3 (PRIV_USER)\nand setting __gu_err to -EFAULT (-14) if access isn\u0027t allowed.\n\nNote the cmpiclr instruction does a 32-bit compare because COND macro\ndoesn\u0027t work inside asm."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:34:52.831Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/28a9b71671fb4a2993ef85b8ef6f117ea63894fe"
        },
        {
          "url": "https://git.kernel.org/stable/c/4c981077255acc2ed5b3df6e8dd0125c81b626a9"
        },
        {
          "url": "https://git.kernel.org/stable/c/f410ef9a032caf98117256b22139c31342d7bb06"
        },
        {
          "url": "https://git.kernel.org/stable/c/741b163e440683195b8fd4fc8495fcd0105c6ab7"
        },
        {
          "url": "https://git.kernel.org/stable/c/89f686a0fb6e473a876a9a60a13aec67a62b9a7e"
        }
      ],
      "title": "parisc: Revise __get_user() to probe user read access",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39716",
    "datePublished": "2025-09-05T17:21:23.429Z",
    "dateReserved": "2025-04-16T07:20:57.117Z",
    "dateUpdated": "2026-05-12T12:06:33.619Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CERTFR-2025-AVI-0825

Solutions

CVE-2025-39706 (GCVE-0-2025-39706)

CVE-2025-39707 (GCVE-0-2025-39707)

CVE-2025-39709 (GCVE-0-2025-39709)

CVE-2025-39710 (GCVE-0-2025-39710)

CVE-2025-39711 (GCVE-0-2025-39711)

CVE-2025-39712 (GCVE-0-2025-39712)

CVE-2025-39713 (GCVE-0-2025-39713)

CVE-2025-39714 (GCVE-0-2025-39714)

CVE-2025-39715 (GCVE-0-2025-39715)

CVE-2025-39716 (GCVE-0-2025-39716)

Tags

Sightings

Nomenclature