CVE-2025-21996

Summary

In the Linux kernel, the following vulnerability has been resolved:

drm/radeon: fix uninitialized size issue in radeon_vce_cs_parse()

On the off chance that command stream passed from userspace via ioctl() call to radeon_vce_cs_parse() is weirdly crafted and first command to execute is to encode (case 0x03000001), the function in question will attempt to call radeon_vce_cs_reloc() with size argument that has not been properly initialized. Specifically, 'size' will point to 'tmp' variable before the latter had a chance to be assigned any value.

Play it safe and init 'tmp' with 0, thus ensuring that radeon_vce_cs_reloc() will catch an early error in cases like these.

Found by Linux Verification Center (linuxtesting.org) with static analysis tool SVACE.

(cherry picked from commit 2d52de55f9ee7aaee0e09ac443f77855989c6b68)

Affected Software

VendorProductVersion RangeStatus
LinuxLinux2fc5703abda201f138faf63bdca743d04dbf4b1a < 0effb378ebce52b897f85cd7f828854b8c7cb636affected
LinuxLinux2fc5703abda201f138faf63bdca743d04dbf4b1a < 5b4d9d20fd455a97920cf158dd19163b879cf65daffected
LinuxLinux2fc5703abda201f138faf63bdca743d04dbf4b1a < 9b2da9c673a0da1359a2151f7ce773e2f77d71a9affected
LinuxLinux2fc5703abda201f138faf63bdca743d04dbf4b1a < 78b07dada3f02f77762d0755a96d35f53b02be69affected
LinuxLinux2fc5703abda201f138faf63bdca743d04dbf4b1a < 3ce08215cad55c10a6eeeb33d3583b6cfffe3ab8affected
LinuxLinux2fc5703abda201f138faf63bdca743d04dbf4b1a < dd1801aa01bba1760357f2a641346ae149686713affected
LinuxLinux2fc5703abda201f138faf63bdca743d04dbf4b1a < f5e049028124f755283f2c07e7a3708361ed1dc8affected
LinuxLinux2fc5703abda201f138faf63bdca743d04dbf4b1a < dd8689b52a24807c2d5ce0a17cb26dc87f75235caffected
LinuxLinux3.15affected
LinuxLinux0 < 3.15unaffected
LinuxLinux5.4.292 <= 5.4.*unaffected
LinuxLinux5.10.236 <= 5.10.*unaffected
LinuxLinux5.15.180 <= 5.15.*unaffected
LinuxLinux6.1.132 <= 6.1.*unaffected
LinuxLinux6.6.85 <= 6.6.*unaffected
LinuxLinux6.12.21 <= 6.12.*unaffected
LinuxLinux6.13.9 <= 6.13.*unaffected
LinuxLinux6.14 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References