PT-2025-27989 · Linux+6 · Linux Kernel+6

Published

2025-04-28

·

Updated

2026-04-20

·

CVE-2025-38214

CVSS v3.1

5.5

Medium

VectorAV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 5.10.226
Description: A null pointer dereference issue was found in the Linux kernel's fbdev subsystem. The issue occurs when fb add videomode() fails to allocate memory for fb videomode, leading to a null pointer dereference in fb videomode to var(). This happens because fb info is registered without the expected mode in modelist, which is described in fb info->var. The issue was identified by the Linux Verification Center with Syzkaller.
Recommendations: For Linux kernel versions prior to 5.10.226, update to version 5.10.226 or later to resolve the issue. As a temporary workaround, consider restricting access to the fbdev subsystem to minimize the risk of exploitation. Avoid using the fb set var() function until the issue is resolved.

Exploit

Fix

NULL Pointer Dereference

Weakness Enumeration

CWE-476CWE-459

Related Identifiers

AZL-64770
BDU:2025-13564
CVE-2025-38214
DLA-4327-1
DLA-4328-1
DSA-5973-1
ECHO-20E2-E81E-04F3
MGASA-2025-0218
MGASA-2025-0219
OESA-2025-2765
OESA-2025-2766
OESA-2025-2767
OPENSUSE-SU-2025:20081-1
SUSE-SU-2025:02853-1
SUSE-SU-2025:02923-1
SUSE-SU-2025:02969-1
SUSE-SU-2025:02996-1
SUSE-SU-2025:02997-1
SUSE-SU-2025:03011-1
SUSE-SU-2025:03023-1
SUSE-SU-2025:03204-1
SUSE-SU-2025:20577-1
SUSE-SU-2025:20586-1
SUSE-SU-2025:20601-1
SUSE-SU-2025:20602-1
SUSE-SU-2025:21074-1
SUSE-SU-2025:21139-1
SUSE-SU-2025:21179-1
SUSE-SU-2025_02853-1
SUSE-SU-2025_02969-1
SUSE-SU-2025_02996-1
SUSE-SU-2025_02997-1
SUSE-SU-2025_03011-1
SUSE-SU-2025_03023-1
SUSE-SU-2025_03204-1
USN-7856-1
USN-8028-1
USN-8028-2
USN-8028-3
USN-8028-4
USN-8028-5
USN-8028-6
USN-8028-7
USN-8028-8
USN-8031-1
USN-8031-2
USN-8031-3
USN-8052-1
USN-8052-2
USN-8074-1
USN-8074-2
USN-8126-1

Affected Products

Astra Linux
Debian
Linuxmint
Linux Kernel
Red Os
Suse
Ubuntu