CVE-2023-53458

EUVD-2025-32809

01.10.2025, 12:15

In the Linux kernel, the following vulnerability has been resolved:

media: cx23885: Fix a null-ptr-deref bug in buffer_prepare() and buffer_finish()

When the driver calls cx23885_risc_buffer() to prepare the buffer, the
function call dma_alloc_coherent may fail, resulting in a empty buffer
risc->cpu. Later when we free the buffer or access the buffer, null ptr
deref is triggered.

This bug is similar to the following one:
https://git.linuxtv.org/media_stage.git/commit/?id=2b064d91440b33fba5b452f2d1b31f13ae911d71.

We believe the bug can be also dynamically triggered from user side.
Similarly, we fix this by checking the return value of cx23885_risc_buffer()
and the value of risc->cpu before buffer free.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.5 MEDIUM	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 5%

Affected Products (NVD)

Vendor	Product	Version
linux	linux_kernel	3.18 ≤ 𝑥 < 5.15.113
linux	linux_kernel	5.16 ≤ 𝑥 < 6.1.30
linux	linux_kernel	6.2 ≤ 𝑥 < 6.3.4

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bookworm	6.1.148-1 fixed
bookworm (security)	6.1.153-1 fixed
bullseye	vulnerable
bullseye (security)	vulnerable
forky	6.16.8-1 fixed
sid	6.16.9-1 fixed
trixie	6.12.43-1 fixed
trixie (security)	6.12.48-1 fixed

Common Weakness Enumeration

CWE-476 - NULL Pointer Dereference
A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

References

https://git.kernel.org/stable/c/47e8b73bc35d7c54642f78e498697692f6358996

https://git.kernel.org/stable/c/5b8e5e28e85a546dfccc3895befe0e823fdd7c89

https://git.kernel.org/stable/c/6738841f6fcf23e9fc30e2449f32fc84ee19c6f1

https://git.kernel.org/stable/c/f0a06203f2fe63f04311467200c99c4ee1926578