CVE-2025-38227

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-38227
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38227.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-38227
Downstream
Related
Published
2025-07-04T13:37:41.922Z
Modified
2026-05-07T04:17:22.064046Z
Summary
media: vidtv: Terminating the subsequent process of initialization failure
Details

In the Linux kernel, the following vulnerability has been resolved:

media: vidtv: Terminating the subsequent process of initialization failure

syzbot reported a slab-use-after-free Read in vidtvmuxinit. [1]

After PSI initialization fails, the si member is accessed again, resulting in this uaf.

After si initialization fails, the subsequent process needs to be exited.

[1] BUG: KASAN: slab-use-after-free in vidtvmuxpidctxinit drivers/media/test-drivers/vidtv/vidtvmux.c:78 [inline] BUG: KASAN: slab-use-after-free in vidtvmuxinit+0xac2/0xbe0 drivers/media/test-drivers/vidtv/vidtvmux.c:524 Read of size 8 at addr ffff88802fa42acc by task syz.2.37/6059

CPU: 0 UID: 0 PID: 6059 Comm: syz.2.37 Not tainted 6.14.0-rc5-syzkaller #0 Hardware name: Google Compute Engine, BIOS Google 02/12/2025 Call Trace: <TASK> __dumpstack lib/dumpstack.c:94 [inline] dumpstacklvl+0x116/0x1f0 lib/dumpstack.c:120 printaddressdescription mm/kasan/report.c:408 [inline] printreport+0xc3/0x670 mm/kasan/report.c:521 kasanreport+0xd9/0x110 mm/kasan/report.c:634 vidtvmuxpidctxinit drivers/media/test-drivers/vidtv/vidtvmux.c:78 vidtvmuxinit+0xac2/0xbe0 drivers/media/test-drivers/vidtv/vidtvmux.c:524 vidtvstartstreaming drivers/media/test-drivers/vidtv/vidtvbridge.c:194 vidtvstartfeed drivers/media/test-drivers/vidtv/vidtvbridge.c:239 dmxsectionfeedstartfiltering drivers/media/dvb-core/dvbdemux.c:973 dvbdmxdevfeedstart drivers/media/dvb-core/dmxdev.c:508 [inline] dvbdmxdevfeedrestart.isra.0 drivers/media/dvb-core/dmxdev.c:537 dvbdmxdevfilterstop+0x2b4/0x3a0 drivers/media/dvb-core/dmxdev.c:564 dvbdmxdevfilterfree drivers/media/dvb-core/dmxdev.c:840 [inline] dvbdemuxrelease+0x92/0x550 drivers/media/dvb-core/dmxdev.c:1246 __fput+0x3ff/0xb70 fs/filetable.c:464 taskworkrun+0x14e/0x250 kernel/taskwork.c:227 exittaskwork include/linux/taskwork.h:40 [inline] doexit+0xad8/0x2d70 kernel/exit.c:938 dogroupexit+0xd3/0x2a0 kernel/exit.c:1087 __dosysexit_group kernel/exit.c:1098 [inline] __sesysexit_group kernel/exit.c:1096 [inline] _x64sysexitgroup+0x3e/0x50 kernel/exit.c:1096 x64syscall+0x151f/0x1720 arch/x86/include/generated/asm/syscalls64.h:232 dosyscallx64 arch/x86/entry/common.c:52 [inline] dosyscall64+0xcd/0x250 arch/x86/entry/common.c:83 entrySYSCALL64afterhwframe+0x77/0x7f RIP: 0033:0x7f871d58d169 Code: Unable to access opcode bytes at 0x7f871d58d13f. RSP: 002b:00007fff4b19a788 EFLAGS: 00000246 ORIGRAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f871d58d169 RDX: 0000000000000064 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 00007fff4b19a7ec R08: 0000000b4b19a87f R09: 00000000000927c0 R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000003 R13: 00000000000927c0 R14: 000000000001d553 R15: 00007fff4b19a840 </TASK>

Allocated by task 6059: kasansavestack+0x33/0x60 mm/kasan/common.c:47 kasansavetrack+0x14/0x30 mm/kasan/common.c:68 poisonkmallocredzone mm/kasan/common.c:377 [inline] __kasankmalloc+0xaa/0xb0 mm/kasan/common.c:394 kmallocnoprof include/linux/slab.h:901 [inline] kzallocnoprof include/linux/slab.h:1037 [inline] vidtvpsipattableinit drivers/media/test-drivers/vidtv/vidtvpsi.c:970 vidtvchannelsiinit drivers/media/test-drivers/vidtv/vidtvchannel.c:423 vidtvmuxinit drivers/media/test-drivers/vidtv/vidtvmux.c:519 vidtvstartstreaming drivers/media/test-drivers/vidtv/vidtvbridge.c:194 vidtvstartfeed drivers/media/test-drivers/vidtv/vidtvbridge.c:239 dmxsectionfeedstartfiltering drivers/media/dvb-core/dvbdemux.c:973 dvbdmxdevfeedstart drivers/media/dvb-core/dmxdev.c:508 [inline] dvbdmxdevfeedrestart.isra.0 drivers/media/dvb-core/dmxdev.c:537 dvbdmxdevfilterstop+0x2b4/0x3a0 drivers/media/dvb-core/dmxdev.c:564 dvbdmxdevfilterfree drivers/media/dvb-core/dmxdev.c:840 [inline] dvbdemuxrelease+0x92/0x550 drivers/media/dvb-core/dmxdev.c:1246 _fput+0x3ff/0xb70 fs/filetabl ---truncated---

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38227.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
3be8037960bccd13052cfdeba8805ad785041d70
Fixed
e1d72ff111eceea6b28dccb7ca4e8f4900b11729
Fixed
7e62be1f3b241bc9faee547864bb39332955509b
Fixed
685c18bc5a36f823ee725e85aac1303ef5f535ba
Fixed
9824e1732a163e005aa84e12ec439493ebd4f097
Fixed
72541cae73d0809a6416bfcd2ee6473046a0013a
Fixed
f8c2483be6e8bb6c2148315b4a924c65bb442b5e
Fixed
1d5f88f053480326873115092bc116b7d14916ba

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38227.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.10.0
Fixed
5.10.239
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.186
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.142
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.95
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.35
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.15.4

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38227.json"