CVE-2025-21996

MEDIUM EPSS 7.2%
Published Apr 3, 20251y ago · Modified Jun 17, 20261w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Apr 3, 2025 1y ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: drm/radeon: fix uninitialized size issue in radeon_vce_cs_parse() On the off chance that command stream passed from userspace via ioctl() call to radeon_vce_cs_parse() is weirdly crafted and first command to execute is to encode (case 0x03000001), the function in question will attempt to call radeon_vce_cs_reloc() with size argument that has not been properly initialized. Specifically, 'size' will point to 'tmp' variable before the latter had a chance to be assigned any value. Play it safe and init 'tmp' with 0, thus ensuring that radeon_vce_cs_reloc() will catch an early error in cases like these. Found by Linux Verification Center (linuxtesting.org) with static analysis tool SVACE. (cherry picked from commit 2d52de55f9ee7aaee0e09ac443f77855989c6b68)

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
7.2% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-908

Affected Products 14

VendorProductVersionRange
linuxlinux_kernel*≥3.15  –  <5.4.292
linuxlinux_kernel*≥5.5  –  <5.10.236
linuxlinux_kernel*≥5.11  –  <5.15.180
linuxlinux_kernel*≥5.16  –  <6.1.132
linuxlinux_kernel*≥6.2  –  <6.6.85
linuxlinux_kernel*≥6.7  –  <6.12.21
linuxlinux_kernel*≥6.13  –  <6.13.9
linuxlinux_kernel6.14any
linuxlinux_kernel6.14any
linuxlinux_kernel6.14any
linuxlinux_kernel6.14any
linuxlinux_kernel6.14any
linuxlinux_kernel6.14any
linuxlinux_kernel6.14any

References 10

  • git.kernel.org https://git.kernel.org/stable/c/0effb378ebce52b897f85cd7f828854b8c7cb636
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3ce08215cad55c10a6eeeb33d3583b6cfffe3ab8
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/5b4d9d20fd455a97920cf158dd19163b879cf65d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/78b07dada3f02f77762d0755a96d35f53b02be69
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/9b2da9c673a0da1359a2151f7ce773e2f77d71a9
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/dd1801aa01bba1760357f2a641346ae149686713
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/dd8689b52a24807c2d5ce0a17cb26dc87f75235c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/f5e049028124f755283f2c07e7a3708361ed1dc8
    Patch
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/0effb378ebce52b897f85cd7f828854b8c7cb636
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3ce08215cad55c10a6eeeb33d3583b6cfffe3ab8
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/5b4d9d20fd455a97920cf158dd19163b879cf65d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/78b07dada3f02f77762d0755a96d35f53b02be69
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/9b2da9c673a0da1359a2151f7ce773e2f77d71a9
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/dd1801aa01bba1760357f2a641346ae149686713
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/dd8689b52a24807c2d5ce0a17cb26dc87f75235c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/f5e049028124f755283f2c07e7a3708361ed1dc8
    Patch