CVE-2025-38226
Analyzed Analyzed - Analysis Complete
BaseFortify

Publication date: 2025-07-04

Last updated on: 2025-12-18

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: media: vivid: Change the siize of the composing syzkaller found a bug: BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2608 [inline] BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_buffer+0x1a9c/0x5af0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2705 Write of size 1440 at addr ffffc9000d0ffda0 by task vivid-000-vid-c/5304 CPU: 0 UID: 0 PID: 5304 Comm: vivid-000-vid-c Not tainted 6.14.0-rc2-syzkaller-00039-g09fbf3d50205 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 kasan_check_range+0x282/0x290 mm/kasan/generic.c:189 __asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106 tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2608 [inline] tpg_fill_plane_buffer+0x1a9c/0x5af0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2705 vivid_fillbuff drivers/media/test-drivers/vivid/vivid-kthread-cap.c:470 [inline] vivid_thread_vid_cap_tick+0xf8e/0x60d0 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:629 vivid_thread_vid_cap+0x8aa/0xf30 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:767 kthread+0x7a9/0x920 kernel/kthread.c:464 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> The composition size cannot be larger than the size of fmt_cap_rect. So execute v4l2_rect_map_inside() even if has_compose_cap == 0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-04
Last Modified
2025-12-18
Generated
2026-05-07
AI Q&A
2025-07-04
EPSS Evaluated
2026-05-05
NVD
CVE-2025-38226
Affected Vendors & Products
Showing 12 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 4.9.337 (inc) to 4.10 (exc)
linux linux_kernel From 4.14.303 (inc) to 4.15 (exc)
linux linux_kernel From 4.19.270 (inc) to 4.20 (exc)
linux linux_kernel From 5.4.229 (inc) to 5.4.296 (exc)
linux linux_kernel From 5.10.163 (inc) to 5.10.239 (exc)
linux linux_kernel From 5.15.86 (inc) to 5.15.186 (exc)
linux linux_kernel From 6.0.16 (inc) to 6.1 (exc)
linux linux_kernel From 6.1.2 (inc) to 6.1.142 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.95 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.35 (exc)
linux linux_kernel From 6.13 (inc) to 6.15.4 (exc)
debian debian_linux 11.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a memory out-of-bounds write in the Linux kernel's vivid media driver, specifically in the tpg_fill_plane_pattern and tpg_fill_plane_buffer functions. It occurs because the size of the composition can be larger than the allowed format capture rectangle, leading to a write beyond allocated memory. This was detected by the kernel's Address Sanitizer (KASAN) and is fixed by ensuring the composition size does not exceed the format capture rectangle size.


How can this vulnerability impact me? :

This vulnerability can lead to memory corruption in the kernel, which may cause system instability, crashes, or potentially allow an attacker to execute arbitrary code with kernel privileges, compromising system security.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart