CVE-2025-21996
03.04.2025, 08:15
In the Linux kernel, the following vulnerability has been resolved: drm/radeon: fix uninitialized size issue in radeon_vce_cs_parse() On the off chance that command stream passed from userspace via ioctl() call to radeon_vce_cs_parse() is weirdly crafted and first command to execute is to encode (case 0x03000001), the function in question will attempt to call radeon_vce_cs_reloc() with size argument that has not been properly initialized. Specifically, 'size' will point to 'tmp' variable before the latter had a chance to be assigned any value. Play it safe and init 'tmp' with 0, thus ensuring that radeon_vce_cs_reloc() will catch an early error in cases like these. Found by Linux Verification Center (linuxtesting.org) with static analysis tool SVACE. (cherry picked from commit 2d52de55f9ee7aaee0e09ac443f77855989c6b68)Enginsight
| Vendor | Product | Version |
|---|---|---|
| linux | linux_kernel | 3.15 ≤ 𝑥 < 5.4.292 |
| linux | linux_kernel | 5.5 ≤ 𝑥 < 5.10.236 |
| linux | linux_kernel | 5.11 ≤ 𝑥 < 5.15.180 |
| linux | linux_kernel | 5.16 ≤ 𝑥 < 6.1.132 |
| linux | linux_kernel | 6.2 ≤ 𝑥 < 6.6.85 |
| linux | linux_kernel | 6.7 ≤ 𝑥 < 6.12.21 |
| linux | linux_kernel | 6.13 ≤ 𝑥 < 6.13.9 |
| linux | linux_kernel | 6.14:rc1 |
| linux | linux_kernel | 6.14:rc2 |
| linux | linux_kernel | 6.14:rc3 |
| linux | linux_kernel | 6.14:rc4 |
| linux | linux_kernel | 6.14:rc5 |
| linux | linux_kernel | 6.14:rc6 |
| linux | linux_kernel | 6.14:rc7 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
Vulnerability Media Exposure
References