CVE-2025-22028

In the Linux kernel, the following vulnerability has been resolved: media: vimc: skip .s_stream() for stopped entities Syzbot reported [1] a warning prompted by a check in call_s_stream() that checks whether .s_stream() operation is warranted for unstarted or stopped subdevs. Add a simple fix in vimc_streamer_pipeline_terminate() ensuring that entities skip a call to .s_stream() unless they have been previously properly started. [1] Syzbot report: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 5933 at drivers/media/v4l2-core/v4l2-subdev.c:460 call_s_stream+0x2df/0x350 drivers/media/v4l2-core/v4l2-subdev.c:460 Modules linked in: CPU: 0 UID: 0 PID: 5933 Comm: syz-executor330 Not tainted 6.13.0-rc2-syzkaller-00362-g2d8308bf5b67 #0 ... Call Trace: <TASK> vimc_streamer_pipeline_terminate+0x218/0x320 drivers/media/test-drivers/vimc/vimc-streamer.c:62 vimc_streamer_pipeline_init drivers/media/test-drivers/vimc/vimc-streamer.c:101 [inline] vimc_streamer_s_stream+0x650/0x9a0 drivers/media/test-drivers/vimc/vimc-streamer.c:203 vimc_capture_start_streaming+0xa1/0x130 drivers/media/test-drivers/vimc/vimc-capture.c:256 vb2_start_streaming+0x15f/0x5a0 drivers/media/common/videobuf2/videobuf2-core.c:1789 vb2_core_streamon+0x2a7/0x450 drivers/media/common/videobuf2/videobuf2-core.c:2348 vb2_streamon drivers/media/common/videobuf2/videobuf2-v4l2.c:875 [inline] vb2_ioctl_streamon+0xf4/0x170 drivers/media/common/videobuf2/videobuf2-v4l2.c:1118 __video_do_ioctl+0xaf0/0xf00 drivers/media/v4l2-core/v4l2-ioctl.c:3122 video_usercopy+0x4d2/0x1620 drivers/media/v4l2-core/v4l2-ioctl.c:3463 v4l2_ioctl+0x1ba/0x250 drivers/media/v4l2-core/v4l2-dev.c:366 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl fs/ioctl.c:892 [inline] __x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f2b85c01b19 ...

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/36cef585e2a31e4ddf33a004b0584a7a572246de	Patch
https://git.kernel.org/stable/c/6f6064dab4dcfb7e34a395040a0c9dc22cc8765d	Patch
https://git.kernel.org/stable/c/7a58d4c4cf8ff60ab1f93399deefaf6057da91c7	Patch
https://git.kernel.org/stable/c/845e9286ff99ee88cfdeb2b748f730003a512190	Patch
https://git.kernel.org/stable/c/a505075730d23ccc19fc4ac382a0ed73b630c057	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

History

28 Oct 2025, 19:05

Type	Values Removed	Values Added
CPE		cpe:2.3:o:linux:linux_kernel::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.5
First Time		Linux linux Kernel Linux
CWE		NVD-CWE-noinfo
References	~~() https://git.kernel.org/stable/c/36cef585e2a31e4ddf33a004b0584a7a572246de -~~	() https://git.kernel.org/stable/c/36cef585e2a31e4ddf33a004b0584a7a572246de - Patch
References	~~() https://git.kernel.org/stable/c/6f6064dab4dcfb7e34a395040a0c9dc22cc8765d -~~	() https://git.kernel.org/stable/c/6f6064dab4dcfb7e34a395040a0c9dc22cc8765d - Patch
References	~~() https://git.kernel.org/stable/c/7a58d4c4cf8ff60ab1f93399deefaf6057da91c7 -~~	() https://git.kernel.org/stable/c/7a58d4c4cf8ff60ab1f93399deefaf6057da91c7 - Patch
References	~~() https://git.kernel.org/stable/c/845e9286ff99ee88cfdeb2b748f730003a512190 -~~	() https://git.kernel.org/stable/c/845e9286ff99ee88cfdeb2b748f730003a512190 - Patch
References	~~() https://git.kernel.org/stable/c/a505075730d23ccc19fc4ac382a0ed73b630c057 -~~	() https://git.kernel.org/stable/c/a505075730d23ccc19fc4ac382a0ed73b630c057 - Patch

02 May 2025, 07:15

Type	Values Removed	Values Added
References		() https://git.kernel.org/stable/c/a505075730d23ccc19fc4ac382a0ed73b630c057 -
Summary		(es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: media: vimc: omite .s_stream() para entidades detenidas. Syzbot reportó [1] una advertencia generada por una comprobación en call_s_stream() que verifica si la operación de .s_stream() está justificada para subdesarrollos no iniciados o detenidos. Se ha añadido una solución sencilla en vimc_streamer_pipeline_terminate() que garantiza que las entidades omitan una llamada a .s_stream() a menos que se hayan iniciado correctamente previamente. [1] Informe de Syzbot: ------------[ cortar aquí ]------------ ADVERTENCIA: CPU: 0 PID: 5933 at drivers/media/v4l2-core/v4l2-subdev.c:460 call_s_stream+0x2df/0x350 drivers/media/v4l2-core/v4l2-subdev.c:460 Modules linked in: CPU: 0 UID: 0 PID: 5933 Comm: syz-executor330 Not tainted 6.13.0-rc2-syzkaller-00362-g2d8308bf5b67 #0 ... Call Trace: vimc_streamer_pipeline_terminate+0x218/0x320 drivers/media/test-drivers/vimc/vimc-streamer.c:62 vimc_streamer_pipeline_init drivers/media/test-drivers/vimc/vimc-streamer.c:101 [inline] vimc_streamer_s_stream+0x650/0x9a0 drivers/media/test-drivers/vimc/vimc-streamer.c:203 vimc_capture_start_streaming+0xa1/0x130 drivers/media/test-drivers/vimc/vimc-capture.c:256 vb2_start_streaming+0x15f/0x5a0 drivers/media/common/videobuf2/videobuf2-core.c:1789 vb2_core_streamon+0x2a7/0x450 drivers/media/common/videobuf2/videobuf2-core.c:2348 vb2_streamon drivers/media/common/videobuf2/videobuf2-v4l2.c:875 [inline] vb2_ioctl_streamon+0xf4/0x170 drivers/media/common/videobuf2/videobuf2-v4l2.c:1118 __video_do_ioctl+0xaf0/0xf00 drivers/media/v4l2-core/v4l2-ioctl.c:3122 video_usercopy+0x4d2/0x1620 drivers/media/v4l2-core/v4l2-ioctl.c:3463 v4l2_ioctl+0x1ba/0x250 drivers/media/v4l2-core/v4l2-dev.c:366 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl fs/ioctl.c:892 [inline] __x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f2b85c01b19 ...

16 Apr 2025, 15:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-04-16 15:15

Updated : 2025-10-28 19:05

NVD link : CVE-2025-22028

Mitre link : CVE-2025-22028

CVE.ORG link : CVE-2025-22028

JSON object : View

Products Affected

linux

linux_kernel

CWE

NVD-CWE-noinfo

5.5 /10