{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-38226","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T04:51:23.995Z","datePublished":"2025-07-04T13:37:40.977Z","dateUpdated":"2026-05-11T21:23:40.651Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:23:40.651Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: vivid: Change the siize of the composing\n\nsyzkaller found a bug:\n\nBUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2608 [inline]\nBUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_buffer+0x1a9c/0x5af0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2705\nWrite of size 1440 at addr ffffc9000d0ffda0 by task vivid-000-vid-c/5304\n\nCPU: 0 UID: 0 PID: 5304 Comm: vivid-000-vid-c Not tainted 6.14.0-rc2-syzkaller-00039-g09fbf3d50205 #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\n\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:489\n kasan_report+0x143/0x180 mm/kasan/report.c:602\n kasan_check_range+0x282/0x290 mm/kasan/generic.c:189\n __asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106\n tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2608 [inline]\n tpg_fill_plane_buffer+0x1a9c/0x5af0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2705\n vivid_fillbuff drivers/media/test-drivers/vivid/vivid-kthread-cap.c:470 [inline]\n vivid_thread_vid_cap_tick+0xf8e/0x60d0 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:629\n vivid_thread_vid_cap+0x8aa/0xf30 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:767\n kthread+0x7a9/0x920 kernel/kthread.c:464\n ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:148\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n </TASK>\n\nThe composition size cannot be larger than the size of fmt_cap_rect.\nSo execute v4l2_rect_map_inside() even if has_compose_cap == 0."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/media/test-drivers/vivid/vivid-vid-cap.c"],"versions":[{"version":"54f259906039dbfe46c550011409fa16f72370f6","lessThan":"57597d8db5bbda618ba2145b7e8a7e6f01b6a27e","status":"affected","versionType":"git"},{"version":"f9d19f3a044ca651b0be52a4bf951ffe74259b9f","lessThan":"635cea4f44c1ddae208666772c164eab5a6bce39","status":"affected","versionType":"git"},{"version":"ab54081a2843aefb837812fac5488cc8f1696142","lessThan":"89b5ab822bf69867c3951dd0eb34b0314c38966b","status":"affected","versionType":"git"},{"version":"2f558c5208b0f70c8140e08ce09fcc84da48e789","lessThan":"5d89aa42534723400fefd46e26e053b9c382b4ee","status":"affected","versionType":"git"},{"version":"94a7ad9283464b75b12516c5512541d467cefcf8","lessThan":"f6b1b0f8ba0b61d8b511df5649d57235f230c135","status":"affected","versionType":"git"},{"version":"94a7ad9283464b75b12516c5512541d467cefcf8","lessThan":"00da1c767a6567e56f23dda586847586868ac064","status":"affected","versionType":"git"},{"version":"94a7ad9283464b75b12516c5512541d467cefcf8","lessThan":"c56398885716d97ee9bcadb2bc9663a8c1757a34","status":"affected","versionType":"git"},{"version":"94a7ad9283464b75b12516c5512541d467cefcf8","lessThan":"f83ac8d30c43fd902af7c84c480f216157b60ef0","status":"affected","versionType":"git"},{"version":"8c0ee15d9a102c732d0745566d254040085d5663","status":"affected","versionType":"git"},{"version":"5edc3604151919da8da0fb092b71d7dce07d848a","status":"affected","versionType":"git"},{"version":"9c7fba9503b826f0c061d136f8f0c9f953ed18b9","status":"affected","versionType":"git"},{"version":"ccb5392c4fea0e7d9f7ab35567e839d74cb3998b","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/media/test-drivers/vivid/vivid-vid-cap.c"],"versions":[{"version":"6.2","status":"affected"},{"version":"0","lessThan":"6.2","status":"unaffected","versionType":"semver"},{"version":"5.4.296","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.239","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.186","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.142","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.95","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.35","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.15.4","lessThanOrEqual":"6.15.*","status":"unaffected","versionType":"semver"},{"version":"6.16","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.4.229","versionEndExcluding":"5.4.296"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.10.163","versionEndExcluding":"5.10.239"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15.86","versionEndExcluding":"5.15.186"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1.2","versionEndExcluding":"6.1.142"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.95"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.12.35"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.15.4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.9.337"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.14.303"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.19.270"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.0.16"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/57597d8db5bbda618ba2145b7e8a7e6f01b6a27e"},{"url":"https://git.kernel.org/stable/c/635cea4f44c1ddae208666772c164eab5a6bce39"},{"url":"https://git.kernel.org/stable/c/89b5ab822bf69867c3951dd0eb34b0314c38966b"},{"url":"https://git.kernel.org/stable/c/5d89aa42534723400fefd46e26e053b9c382b4ee"},{"url":"https://git.kernel.org/stable/c/f6b1b0f8ba0b61d8b511df5649d57235f230c135"},{"url":"https://git.kernel.org/stable/c/00da1c767a6567e56f23dda586847586868ac064"},{"url":"https://git.kernel.org/stable/c/c56398885716d97ee9bcadb2bc9663a8c1757a34"},{"url":"https://git.kernel.org/stable/c/f83ac8d30c43fd902af7c84c480f216157b60ef0"}],"title":"media: vivid: Change the siize of the composing","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"title":"CVE Program Container","references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"},{"url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T17:35:42.979Z"}}]}}