CVE-2025-71140

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A flaw exists in the Linux kernel’s media subsystem, specifically within the MediaTek vcodec component. A previous implementation used a mutex to protect encoder and decoder context lists from modifications originating from the SCP IP block, which could lead to a NULL pointer dereference in the IPI handler. The issue occurs because the VPU IPI handler is called from a hard IRQ context, triggering a scheduler warning. This was initially reported in ChromeOS kernels and is reproducible on mainline kernels using Fluster with FFmpeg v4l2m2m decoders. The problem is triggered even when the capture format is unsupported. The lock protects the context list and operations on it are fast, so switching to a spinlock resolves the issue.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2025-71140

MGASA-2026-0017

MGASA-2026-0018

USN-8177-1

USN-8177-2

USN-8179-1

USN-8179-2

USN-8179-3

USN-8179-4

USN-8183-1

USN-8183-2

USN-8184-1

USN-8185-1

USN-8185-2

USN-8203-1

USN-8204-1

USN-8245-1

USN-8257-1

USN-8258-1

USN-8260-1

USN-8261-1

USN-8265-1

Affected Products

Chrome Os

Ffmpeg

Linuxmint

Linux Kernel

Mediatek Vdec

Ubuntu

CVE-2025-71140

Related Identifiers

Affected Products

References · 710