CVE-2025-22027

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-22027

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-22027.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-22027

Downstream

BELL-CVE-2025-22027

DEBIAN-CVE-2025-22027

DLA-4178-1

DLA-4193-1

DSA-5907-1

ECHO-147a-d891-641b

MINI-7v5j-8w4r-xww8

OESA-2025-1463

OESA-2025-1464

SUSE-SU-2025:01707-1

SUSE-SU-2025:01919-1

SUSE-SU-2025:01951-1

SUSE-SU-2025:01964-1

SUSE-SU-2025:01967-1

SUSE-SU-2025:01983-1

UBUNTU-CVE-2025-22027

USN-7594-1

USN-7594-2

USN-7594-3

USN-7605-1

USN-7605-2

USN-7606-1

USN-7628-1

USN-7654-1

USN-7654-2

USN-7654-3

USN-7654-4

USN-7654-5

USN-7655-1

USN-7686-1

USN-7711-1

USN-7712-1

USN-7712-2

Related

Published

2025-04-16T15:15:55Z

Modified

2025-08-09T20:01:27Z

Severity

4.7 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

In the Linux kernel, the following vulnerability has been resolved:

media: streamzap: fix race between device disconnection and urb callback

Syzkaller has reported a general protection fault at function irraweventstorewithfilter(). This crash is caused by a NULL pointer dereference of dev->raw pointer, even though it is checked for NULL in the same function, which means there is a race condition. It occurs due to the incorrect order of actions in the streamzapdisconnect() function: rcunregisterdevice() is called before usbkillurb(). The dev->raw pointer is freed and set to NULL in rcunregisterdevice(), and only after that usbkillurb() waits for in-progress requests to finish.

If rcunregisterdevice() is called while streamzapcallback() handler is not finished, this can lead to accessing freed resources. Thus rcunregisterdevice() should be called after usbkill_urb().

Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

References

Affected packages