PT-2025-14589 · Linux+7 · Linux Kernel+7
Published
2025-03-11
·
Updated
2026-04-20
·
CVE-2025-21996
CVSS v3.1
5.5
Medium
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
Linux kernel (affected versions not specified)
Description
The issue arises when a command stream passed from userspace via an ioctl() call to the
radeon vce cs parse() function is crafted in a way that the first command to execute is to encode (case 0x03000001). In such cases, the function attempts to call radeon vce cs reloc() with a size argument that has not been properly initialized, as the 'size' will point to the 'tmp' variable before it is assigned any value. To address this, the 'tmp' variable is initialized with 0, ensuring that radeon vce cs reloc() catches an early error in such cases.Recommendations
For the Linux kernel, initialize the 'tmp' variable with 0 in the
radeon vce cs parse() function to prevent the size argument from being uninitialized when calling radeon vce cs reloc(). As a temporary workaround, consider restricting access to the radeon vce cs parse() function until a patch is available.Exploit
Fix
Use of Uninitialized Resource
Access of Uninitialized Pointer
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alt Linux
Astra Linux
Debian
Linuxmint
Linux Kernel
Red Os
Suse
Ubuntu