CVE-2025-38226
HighIn the Linux kernel, the following vulnerability has been resolved: media: vivid: Change the siize of the composing syzkaller found a bug: BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2608 [inline] BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_buffer+0x1a9c/0x5af0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2705 Write of size 1440 at addr ffffc9000d0ffda0 by task vivid-000-vid-c/5304 CPU: 0 UID: 0 PID: 5304 Comm: vivid-000-vid-c Not tainted 6.14.0-rc2-syzkaller-00039-g09fbf3d50205 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 kasan_check_range+0x282/0x290 mm/kasan/generic.c:189 __asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106 tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2608 [inline] tpg_fill_plane_buffer+0x1a9c/0x5af0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2705 vivid_fillbuff drivers/media/test-drivers/vivid/vivid-kthread-cap.c:470 [inline] vivid_thread_vid_cap_tick+0xf8e/0x60d0 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:629 vivid_thread_vid_cap+0x8aa/0xf30 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:767 kthread+0x7a9/0x920 kernel/kthread.c:464 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> The composition size cannot be larger than the size of fmt_cap_rect. So execute v4l2_rect_map_inside() even if has_compose_cap == 0.
CVSS 3.1 score
7.8
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weakness type
CWE-787CVE-2025-38226 is a Out-of-bounds Write vulnerability
What is Out-of-bounds Write?
The product writes data past the end or before the beginning of the intended buffer. Learn more on MITRE CWE
Affected versions
Linux kernel versions
5.4.229,
5.10.163,
5.15.86,
6.1.2,
4.9.337,
4.14.303,
4.19.270,
6.0.16,
6.2
and later are affected. Fixed in
5.4.296,
5.10.239,
5.15.186,
6.1.142,
6.6.95,
6.12.35,
6.15.4,
6.16
and their respective stable series.
References
The following references provide additional information about CVE-2025-38226 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.
-
Mailing List Third Party Advisory
-
Mailing List Third Party Advisory
-
PatchKernel patch commithttps://git.kernel.org/stable/c/00da1c767a6567e56f23dda586847586868ac064
-
PatchKernel patch commithttps://git.kernel.org/stable/c/57597d8db5bbda618ba2145b7e8a7e6f01b6a27e
-
PatchKernel patch commithttps://git.kernel.org/stable/c/5d89aa42534723400fefd46e26e053b9c382b4ee
Frequently asked questions
-
What is CVE-2025-38226?
CVE-2025-38226 is a High severity Linux kernel vulnerability with a CVSS score of 7.8 out of 10 , classified as an Out-of-bounds Write flaw (CWE-787) . It affects Linux kernel versions from 5.4.229 onward and has been patched in 5.4.296, 5.10.239, 5.15.186 and others. CVE-2025-38226 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
-
What is the CVSS score for CVE-2025-38226?
CVE-2025-38226 has a CVSS score of 7.8 out of 10, rated High severity (CVSS 3.1). The vector string is
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. -
Is there a patch available for CVE-2025-38226?
Yes — CVE-2025-38226 has been patched. Fixed versions include 5.4.296, 5.10.239, 5.15.186 and others. If you are running Linux kernel 5.4.229 or later up to the fix versions, apply the relevant patch for your kernel branch.
-
Is CVE-2025-38226 actively exploited?
No — CVE-2025-38226 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.
-
What is Out-of-bounds Write (CWE-787)?
The product writes data past the end or before the beginning of the intended buffer. View CWE-787 on MITRE CWE →