Detections
Analytics

CVE-2025-21996

high

Description

In the Linux kernel, the following vulnerability has been resolved: drm/radeon: fix uninitialized size issue in radeon_vce_cs_parse() On the off chance that command stream passed from userspace via ioctl() call to radeon_vce_cs_parse() is weirdly crafted and first command to execute is to encode (case 0x03000001), the function in question will attempt to call radeon_vce_cs_reloc() with size argument that has not been properly initialized. Specifically, 'size' will point to 'tmp' variable before the latter had a chance to be assigned any value. Play it safe and init 'tmp' with 0, thus ensuring that radeon_vce_cs_reloc() will catch an early error in cases like these. Found by Linux Verification Center (linuxtesting.org) with static analysis tool SVACE. (cherry picked from commit 2d52de55f9ee7aaee0e09ac443f77855989c6b68)

References

https://git.kernel.org/stable/c/f5e049028124f755283f2c07e7a3708361ed1dc8

https://git.kernel.org/stable/c/dd8689b52a24807c2d5ce0a17cb26dc87f75235c

https://git.kernel.org/stable/c/dd1801aa01bba1760357f2a641346ae149686713

https://git.kernel.org/stable/c/78b07dada3f02f77762d0755a96d35f53b02be69

https://git.kernel.org/stable/c/3ce08215cad55c10a6eeeb33d3583b6cfffe3ab8

Details

Source: Mitre, NVD

Published: 2025-04-03

Updated: 2025-04-03

Risk Information

CVSS v2

Base Score: 7.2

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

Severity: High

CVSS v3

Base Score: 7.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Severity: High