ghsa-5hm5-7p65-wrq6
Vulnerability from github
Published
2025-09-05 18:31
Modified
2025-09-05 18:31
Details

In the Linux kernel, the following vulnerability has been resolved:

media: venus: Fix OOB read due to missing payload bound check

Currently, The event_seq_changed() handler processes a variable number of properties sent by the firmware. The number of properties is indicated by the firmware and used to iterate over the payload. However, the payload size is not being validated against the actual message length.

This can lead to out-of-bounds memory access if the firmware provides a property count that exceeds the data available in the payload. Such a condition can result in kernel crashes or potential information leaks if memory beyond the buffer is accessed.

Fix this by properly validating the remaining size of the payload before each property access and updating bounds accordingly as properties are parsed.

This ensures that property parsing is safely bounded within the received message buffer and protects against malformed or malicious firmware behavior.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-38679"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-04T16:15:35Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: venus: Fix OOB read due to missing payload bound check\n\nCurrently, The event_seq_changed() handler processes a variable number\nof properties sent by the firmware. The number of properties is indicated\nby the firmware and used to iterate over the payload. However, the\npayload size is not being validated against the actual message length.\n\nThis can lead to out-of-bounds memory access if the firmware provides a\nproperty count that exceeds the data available in the payload. Such a\ncondition can result in kernel crashes or potential information leaks if\nmemory beyond the buffer is accessed.\n\nFix this by properly validating the remaining size of the payload before\neach property access and updating bounds accordingly as properties are\nparsed.\n\nThis ensures that property parsing is safely bounded within the received\nmessage buffer and protects against malformed or malicious firmware\nbehavior.",
  "id": "GHSA-5hm5-7p65-wrq6",
  "modified": "2025-09-05T18:31:15Z",
  "published": "2025-09-05T18:31:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38679"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/06d6770ff0d8cc8dfd392329a8cc03e2a83e7289"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6f08bfb5805637419902f3d70069fe17a404545b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8f274e2b05fdae7a53cee83979202b5ecb49035c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a3eef5847603cd8a4110587907988c3f93c9605a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bed4921055dd7bb4d2eea2729852ae18cf97a2c6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c956c3758510b448b3d4d10d1da8230e8c9bf668"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.