{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-38558","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T04:51:24.025Z","datePublished":"2025-08-19T17:02:36.355Z","dateUpdated":"2026-05-11T21:30:25.157Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:30:25.157Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: uvc: Initialize frame-based format color matching descriptor\n\nFix NULL pointer crash in uvcg_framebased_make due to uninitialized color\nmatching descriptor for frame-based format which was added in\ncommit f5e7bdd34aca (\"usb: gadget: uvc: Allow creating new color matching\ndescriptors\") that added handling for uncompressed and mjpeg format.\n\nCrash is seen when userspace configuration (via configfs) does not\nexplicitly define the color matching descriptor. If color_matching is not\nfound, config_group_find_item() returns NULL. The code then jumps to\nout_put_cm, where it calls config_item_put(color_matching);. If\ncolor_matching is NULL, this will dereference a null pointer, leading to a\ncrash.\n\n[ 2.746440] Unable to handle kernel NULL pointer dereference at virtual address 000000000000008c\n[ 2.756273] Mem abort info:\n[ 2.760080] ESR = 0x0000000096000005\n[ 2.764872] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 2.771068] SET = 0, FnV = 0\n[ 2.771069] EA = 0, S1PTW = 0\n[ 2.771070] FSC = 0x05: level 1 translation fault\n[ 2.771071] Data abort info:\n[ 2.771072] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000\n[ 2.771073] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[ 2.771074] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[ 2.771075] user pgtable: 4k pages, 39-bit VAs, pgdp=00000000a3e59000\n[ 2.771077] [000000000000008c] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000\n[ 2.771081] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP\n[ 2.771084] Dumping ftrace buffer:\n[ 2.771085] (ftrace buffer empty)\n[ 2.771138] CPU: 7 PID: 486 Comm: ln Tainted: G W E 6.6.58-android15\n[ 2.771139] Hardware name: Qualcomm Technologies, Inc. SunP QRD HDK (DT)\n[ 2.771140] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n[ 2.771141] pc : __uvcg_fill_strm+0x198/0x2cc\n[ 2.771145] lr : __uvcg_iter_strm_cls+0xc8/0x17c\n[ 2.771146] sp : ffffffc08140bbb0\n[ 2.771146] x29: ffffffc08140bbb0 x28: ffffff803bc81380 x27: ffffff8023bbd250\n[ 2.771147] x26: ffffff8023bbd250 x25: ffffff803c361348 x24: ffffff803d8e6768\n[ 2.771148] x23: 0000000000000004 x22: 0000000000000003 x21: ffffffc08140bc48\n[ 2.771149] x20: 0000000000000000 x19: ffffffc08140bc48 x18: ffffffe9f8cf4a00\n[ 2.771150] x17: 000000001bf64ec3 x16: 000000001bf64ec3 x15: ffffff8023bbd250\n[ 2.771151] x14: 000000000000000f x13: 004c4b40000f4240 x12: 000a2c2a00051615\n[ 2.771152] x11: 000000000000004f x10: ffffffe9f76b40ec x9 : ffffffe9f7e389d0\n[ 2.771153] x8 : ffffff803d0d31ce x7 : 000f4240000a2c2a x6 : 0005161500028b0a\n[ 2.771154] x5 : ffffff803d0d31ce x4 : 0000000000000003 x3 : 0000000000000000\n[ 2.771155] x2 : ffffffc08140bc50 x1 : ffffffc08140bc48 x0 : 0000000000000000\n[ 2.771156] Call trace:\n[ 2.771157] __uvcg_fill_strm+0x198/0x2cc\n[ 2.771157] __uvcg_iter_strm_cls+0xc8/0x17c\n[ 2.771158] uvcg_streaming_class_allow_link+0x240/0x290\n[ 2.771159] configfs_symlink+0x1f8/0x630\n[ 2.771161] vfs_symlink+0x114/0x1a0\n[ 2.771163] do_symlinkat+0x94/0x28c\n[ 2.771164] __arm64_sys_symlinkat+0x54/0x70\n[ 2.771164] invoke_syscall+0x58/0x114\n[ 2.771166] el0_svc_common+0x80/0xe0\n[ 2.771168] do_el0_svc+0x1c/0x28\n[ 2.771169] el0_svc+0x3c/0x70\n[ 2.771172] el0t_64_sync_handler+0x68/0xbc\n[ 2.771173] el0t_64_sync+0x1a8/0x1ac\n\nInitialize color matching descriptor for frame-based format to prevent\nNULL pointer crash by mirroring the handling done for uncompressed and\nmjpeg formats."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/usb/gadget/function/uvc_configfs.c"],"versions":[{"version":"7b5a58952fc3b51905c2963647485565df1e5e26","lessThan":"6db61c1aa23075eeee90e083ca3f6567a5635da6","status":"affected","versionType":"git"},{"version":"7b5a58952fc3b51905c2963647485565df1e5e26","lessThan":"7f8576fc9d1a203d12474bf52710c7af68cae490","status":"affected","versionType":"git"},{"version":"7b5a58952fc3b51905c2963647485565df1e5e26","lessThan":"323a80a1a5ace319a722909c006d5bdb2a35d273","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/usb/gadget/function/uvc_configfs.c"],"versions":[{"version":"6.13","status":"affected"},{"version":"0","lessThan":"6.13","status":"unaffected","versionType":"semver"},{"version":"6.15.10","lessThanOrEqual":"6.15.*","status":"unaffected","versionType":"semver"},{"version":"6.16.1","lessThanOrEqual":"6.16.*","status":"unaffected","versionType":"semver"},{"version":"6.17","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.15.10"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.16.1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.17"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/6db61c1aa23075eeee90e083ca3f6567a5635da6"},{"url":"https://git.kernel.org/stable/c/7f8576fc9d1a203d12474bf52710c7af68cae490"},{"url":"https://git.kernel.org/stable/c/323a80a1a5ace319a722909c006d5bdb2a35d273"}],"title":"usb: gadget: uvc: Initialize frame-based format color matching descriptor","x_generator":{"engine":"bippy-1.2.0"}}}}