{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-38679", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-04-16T04:51:24.031Z", "datePublished": "2025-09-04T15:32:35.131Z", "dateUpdated": "2025-09-04T15:32:35.131Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-09-04T15:32:35.131Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: venus: Fix OOB read due to missing payload bound check\n\nCurrently, The event_seq_changed() handler processes a variable number\nof properties sent by the firmware. The number of properties is indicated\nby the firmware and used to iterate over the payload. However, the\npayload size is not being validated against the actual message length.\n\nThis can lead to out-of-bounds memory access if the firmware provides a\nproperty count that exceeds the data available in the payload. Such a\ncondition can result in kernel crashes or potential information leaks if\nmemory beyond the buffer is accessed.\n\nFix this by properly validating the remaining size of the payload before\neach property access and updating bounds accordingly as properties are\nparsed.\n\nThis ensures that property parsing is safely bounded within the received\nmessage buffer and protects against malformed or malicious firmware\nbehavior."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/media/platform/qcom/venus/hfi_msgs.c"], "versions": [{"version": "09c2845e8fe4fcab942929480203f504a6e0a114", "lessThan": "a3eef5847603cd8a4110587907988c3f93c9605a", "status": "affected", "versionType": "git"}, {"version": "09c2845e8fe4fcab942929480203f504a6e0a114", "lessThan": "8f274e2b05fdae7a53cee83979202b5ecb49035c", "status": "affected", "versionType": "git"}, {"version": "09c2845e8fe4fcab942929480203f504a6e0a114", "lessThan": "6f08bfb5805637419902f3d70069fe17a404545b", "status": "affected", "versionType": "git"}, {"version": "09c2845e8fe4fcab942929480203f504a6e0a114", "lessThan": "c956c3758510b448b3d4d10d1da8230e8c9bf668", "status": "affected", "versionType": "git"}, {"version": "09c2845e8fe4fcab942929480203f504a6e0a114", "lessThan": "bed4921055dd7bb4d2eea2729852ae18cf97a2c6", "status": "affected", "versionType": "git"}, {"version": "09c2845e8fe4fcab942929480203f504a6e0a114", "lessThan": "06d6770ff0d8cc8dfd392329a8cc03e2a83e7289", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/media/platform/qcom/venus/hfi_msgs.c"], "versions": [{"version": "4.13", "status": "affected"}, {"version": "0", "lessThan": "4.13", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.149", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.103", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.43", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.15.11", "lessThanOrEqual": "6.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.16.2", "lessThanOrEqual": "6.16.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.17-rc1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.13", "versionEndExcluding": "6.1.149"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.13", "versionEndExcluding": "6.6.103"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.13", "versionEndExcluding": "6.12.43"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.13", "versionEndExcluding": "6.15.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.13", "versionEndExcluding": "6.16.2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.13", "versionEndExcluding": "6.17-rc1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/a3eef5847603cd8a4110587907988c3f93c9605a"}, {"url": "https://git.kernel.org/stable/c/8f274e2b05fdae7a53cee83979202b5ecb49035c"}, {"url": "https://git.kernel.org/stable/c/6f08bfb5805637419902f3d70069fe17a404545b"}, {"url": "https://git.kernel.org/stable/c/c956c3758510b448b3d4d10d1da8230e8c9bf668"}, {"url": "https://git.kernel.org/stable/c/bed4921055dd7bb4d2eea2729852ae18cf97a2c6"}, {"url": "https://git.kernel.org/stable/c/06d6770ff0d8cc8dfd392329a8cc03e2a83e7289"}], "title": "media: venus: Fix OOB read due to missing payload bound check", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: venus: Fix OOB read due to missing payload bound check\n\nCurrently, The event_seq_changed() handler processes a variable number\nof properties sent by the firmware. The number of properties is indicated\nby the firmware and used to iterate over the payload. However, the\npayload size is not being validated against the actual message length.\n\nThis can lead to out-of-bounds memory access if the firmware provides a\nproperty count that exceeds the data available in the payload. Such a\ncondition can result in kernel crashes or potential information leaks if\nmemory beyond the buffer is accessed.\n\nFix this by properly validating the remaining size of the payload before\neach property access and updating bounds accordingly as properties are\nparsed.\n\nThis ensures that property parsing is safely bounded within the received\nmessage buffer and protects against malformed or malicious firmware\nbehavior."}], "id": "CVE-2025-38679", "lastModified": "2025-09-05T17:47:24.833", "metrics": {}, "published": "2025-09-04T16:15:35.387", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/06d6770ff0d8cc8dfd392329a8cc03e2a83e7289"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6f08bfb5805637419902f3d70069fe17a404545b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/8f274e2b05fdae7a53cee83979202b5ecb49035c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a3eef5847603cd8a4110587907988c3f93c9605a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/bed4921055dd7bb4d2eea2729852ae18cf97a2c6"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c956c3758510b448b3d4d10d1da8230e8c9bf668"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: media: venus: Fix OOB read due to missing payload bound check", "id": "2393207", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2393207"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["No description is available for this CVE."], "name": "CVE-2025-38679", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-09-04T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-38679\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-38679\nhttps://lore.kernel.org/linux-cve-announce/2025090443-CVE-2025-38679-be66@gregkh/T"], "threat_severity": "Moderate"}

{"created": "2025-09-05T14:02:47.806761+00:00", "updated": "2025-09-05T14:02:47.806811+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}