CVE-2025-21996
- Source
- https://cve.org/CVERecord?id=CVE-2025-21996
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-21996.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-21996
- Downstream
- Related
- Published
- 2025-04-03T07:18:59.933Z
- Modified
- 2026-03-11T07:47:42.519192Z
- Severity
-
- 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- drm/radeon: fix uninitialized size issue in radeon_vce_cs_parse()
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
drm/radeon: fix uninitialized size issue in radeonvcecs_parse()
On the off chance that command stream passed from userspace via ioctl() call to radeonvcecsparse() is weirdly crafted and first command to execute is to encode (case 0x03000001), the function in question will attempt to call radeonvcecsreloc() with size argument that has not been properly initialized. Specifically, 'size' will point to 'tmp' variable before the latter had a chance to be assigned any value.
Play it safe and init 'tmp' with 0, thus ensuring that radeonvcecs_reloc() will catch an early error in cases like these.
Found by Linux Verification Center (linuxtesting.org) with static analysis tool SVACE.
(cherry picked from commit 2d52de55f9ee7aaee0e09ac443f77855989c6b68)
- Database specific
{ "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/21xxx/CVE-2025-21996.json" }- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/0effb378ebce52b897f85cd7f828854b8c7cb636
- https://git.kernel.org/stable/c/3ce08215cad55c10a6eeeb33d3583b6cfffe3ab8
- https://git.kernel.org/stable/c/5b4d9d20fd455a97920cf158dd19163b879cf65d
- https://git.kernel.org/stable/c/78b07dada3f02f77762d0755a96d35f53b02be69
- https://git.kernel.org/stable/c/9b2da9c673a0da1359a2151f7ce773e2f77d71a9
- https://git.kernel.org/stable/c/dd1801aa01bba1760357f2a641346ae149686713
- https://git.kernel.org/stable/c/dd8689b52a24807c2d5ce0a17cb26dc87f75235c
- https://git.kernel.org/stable/c/f5e049028124f755283f2c07e7a3708361ed1dc8
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/21xxx/CVE-2025-21996.json
- https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html
- https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html
- https://nvd.nist.gov/vuln/detail/CVE-2025-21996
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced2fc5703abda201f138faf63bdca743d04dbf4b1aFixed0effb378ebce52b897f85cd7f828854b8c7cb636Fixed5b4d9d20fd455a97920cf158dd19163b879cf65dFixed9b2da9c673a0da1359a2151f7ce773e2f77d71a9Fixed78b07dada3f02f77762d0755a96d35f53b02be69Fixed3ce08215cad55c10a6eeeb33d3583b6cfffe3ab8Fixeddd1801aa01bba1760357f2a641346ae149686713Fixedf5e049028124f755283f2c07e7a3708361ed1dc8Fixeddd8689b52a24807c2d5ce0a17cb26dc87f75235c