CVE-2025-39807

EUVD-2025-29607

16.09.2025, 13:15

In the Linux kernel, the following vulnerability has been resolved:

drm/mediatek: Add error handling for old state CRTC in atomic_disable

Introduce error handling to address an issue where, after a hotplug
event, the cursor continues to update. This situation can lead to a
kernel panic due to accessing the NULL `old_state->crtc`.

E,g.
Unable to handle kernel NULL pointer dereference at virtual address
Call trace:
 mtk_crtc_plane_disable+0x24/0x140
 mtk_plane_atomic_update+0x8c/0xa8
 drm_atomic_helper_commit_planes+0x114/0x2c8
 drm_atomic_helper_commit_tail_rpm+0x4c/0x158
 commit_tail+0xa0/0x168
 drm_atomic_helper_commit+0x110/0x120
 drm_atomic_commit+0x8c/0xe0
 drm_atomic_helper_update_plane+0xd4/0x128
 __setplane_atomic+0xcc/0x110
 drm_mode_cursor_common+0x250/0x440
 drm_mode_cursor_ioctl+0x44/0x70
 drm_ioctl+0x264/0x5d8
 __arm64_sys_ioctl+0xd8/0x510
 invoke_syscall+0x6c/0xe0
 do_el0_svc+0x68/0xe8
 el0_svc+0x34/0x60
 el0t_64_sync_handler+0x1c/0xf8
 el0t_64_sync+0x180/0x188

Adding NULL pointer checks to ensure stability by preventing operations
on an invalid CRTC state.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.5 MEDIUM	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 2%

Affected Products (NVD)

Vendor	Product	Version
linux	linux_kernel	6.12.40 ≤ 𝑥 < 6.12.45
linux	linux_kernel	6.15.8 ≤ 𝑥 < 6.16
linux	linux_kernel	6.16.1 ≤ 𝑥 < 6.16.5
linux	linux_kernel	6.16
linux	linux_kernel	6.16:rc7
linux	linux_kernel	6.17:rc1
linux	linux_kernel	6.17:rc2
linux	linux_kernel	6.17:rc3

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bookworm	6.1.170-3 fixed
bookworm (security)	6.1.172-1 fixed
bullseye	5.10.223-1 fixed
bullseye (security)	5.10.251-5 fixed
forky	7.0.7-1 fixed
sid	7.0.7-1 fixed
trixie	6.12.86-1 fixed
trixie (security)	6.12.88-1 fixed

openSUSE / SLES Releases

openSUSE Product

Release

kernel-64kb

suse enterprise desktop 15 SP7	6.4.0-150700.53.19.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.19.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.19.1 fixed

kernel-azure

suse enterprise sap 15 SP7	6.4.0-150700.20.15.2 fixed
suse enterprise server 15 SP7	6.4.0-150700.20.15.2 fixed

kernel-default

suse enterprise desktop 15 SP7	6.4.0-150700.53.19.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.19.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.19.1 fixed

kernel-default-base

suse enterprise desktop 15 SP7	6.4.0-150700.53.19.1.150700.17.13.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.19.1.150700.17.13.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.19.1.150700.17.13.1 fixed

kernel-docs

suse enterprise desktop 15 SP7	6.4.0-150700.53.19.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.19.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.19.1 fixed

kernel-macros

suse enterprise desktop 15 SP7	6.4.0-150700.53.19.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.19.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.19.1 fixed

kernel-obs-build

suse enterprise desktop 15 SP7	6.4.0-150700.53.19.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.19.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.19.1 fixed

kernel-source

suse enterprise desktop 15 SP7	6.4.0-150700.53.19.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.19.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.19.1 fixed

kernel-source-azure

suse enterprise sap 15 SP7	6.4.0-150700.20.15.2 fixed
suse enterprise server 15 SP7	6.4.0-150700.20.15.2 fixed

kernel-syms

suse enterprise desktop 15 SP7	6.4.0-150700.53.19.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.19.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.19.1 fixed

kernel-syms-azure

suse enterprise sap 15 SP7	6.4.0-150700.20.15.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.20.15.1 fixed

kernel-zfcpdump

suse enterprise desktop 15 SP7	6.4.0-150700.53.19.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.19.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.19.1 fixed

Common Weakness Enumeration

CWE-476 - NULL Pointer Dereference
A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

References

https://git.kernel.org/stable/c/0c6b24d70da21201ed009a2aca740d2dfddc7ab5

https://git.kernel.org/stable/c/7d5cc22efa44e0fe321ce195c71c3d7da211fbb2

https://git.kernel.org/stable/c/9a94e9d8b50bcfe89693bc899a54d3866d86e973