CVE-2025-38693 - Vulnerability Details

- media: dvb-frontends: w7090p: fix null-ptr-deref in w7090p_tuner_write_serpar and w7090p_tuner_read_serpar

Description

In the Linux kernel, the following vulnerability has been resolved:

media: dvb-frontends: w7090p: fix null-ptr-deref in w7090p_tuner_write_serpar and w7090p_tuner_read_serpar

In w7090p_tuner_write_serpar, msg is controlled by user. When msg[0].buf is null and msg[0].len is zero, former checks on msg[0].buf would be passed. If accessing msg[0].buf[2] without sanity check, null pointer deref would happen. We add
check on msg[0].len to prevent crash.

Similar commit: commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()")

Published: 2025-09-04

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a null pointer dereference in the w7090p DVB tuner frontend driver. When a user sends a message with a null buffer and zero length, the driver dereferences a pointer without checking, causing a kernel crash. This results in a denial of service by crashing the system and is classified as CWE‑476.

Affected Systems

It affects Linux kernel installations that include the w7090p frontend driver, such as those found in Debian 11.0 and other distributions using the kernel version with the vulnerable code. The driver is only loaded when the associated DVB hardware is present, so the crash is limited to systems using that hardware.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity, and the EPSS score of <1% shows a very low probability of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. The attack vector is likely local or requires a user to send a crafted message to the driver; no remote network path is documented.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`713d54a8bd812229410a1902cd9b332a2a27af9f`	affected	< 7a41ecfc3415ebe3b4c44f96b3337691dcf431a3
`713d54a8bd812229410a1902cd9b332a2a27af9f`	affected	< b3d77a3fc71c084575d3df4ec6544b3fb6ce587d
`713d54a8bd812229410a1902cd9b332a2a27af9f`	affected	< 17b30e5ded062bd74f8ca6f317e1d415a8680665
`713d54a8bd812229410a1902cd9b332a2a27af9f`	affected	< 454a443eaa792c8865c861a282fe6d4f596abc3a
`713d54a8bd812229410a1902cd9b332a2a27af9f`	affected	< 6bbaec6a036940e22318f0454b50b8000845ab59
`713d54a8bd812229410a1902cd9b332a2a27af9f`	affected	< f98132a59ccc59a8b97987363bc99c8968934756
`713d54a8bd812229410a1902cd9b332a2a27af9f`	affected	< 99690a494d91a0dc86cebd628da4c62c40552bcb
`713d54a8bd812229410a1902cd9b332a2a27af9f`	affected	< 39b06b93f24dff923c4183d564ed28c039150554
`713d54a8bd812229410a1902cd9b332a2a27af9f`	affected	< ed0234c8458b3149f15e496b48a1c9874dd24a1b

Linux

affected

Version	Status	Constraints
`2.6.39`	affected	—
`0`	unaffected	< 2.6.39
`5.4.297`	unaffected	≤ 5.4.*
`5.10.241`	unaffected	≤ 5.10.*
`5.15.190`	unaffected	≤ 5.15.*
`6.1.149`	unaffected	≤ 6.1.*
`6.6.103`	unaffected	≤ 6.6.*
`6.12.43`	unaffected	≤ 6.12.*
`6.15.11`	unaffected	≤ 6.15.*
`6.16.2`	unaffected	≤ 6.16.*
`6.17`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

Configuration 2 [-]

cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
Linux	Linux Kernel	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a patched version that includes the null‑pointer dereference fix; on distributions that provide vendor‑specific kernel packages, install the latest kernel update that references the commit fixing the issue.
For systems that cannot be updated immediately, disable the w7090p driver or block access to the device files used by the driver so the crash path cannot be triggered.
Monitor system logs for kernel panics or session crashes that may be related to the tuner driver, and plan timely kernel upgrades.

Generated by OpenCVE AI on April 20, 2026 at 15:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4327-1	linux security update
Debian DLA	DLA-4328-1	linux-6.1 security update
Debian DSA	DSA-6009-1	linux security update
EUVD	EUVD-2025-26776	In the Linux kernel, the following vulnerability has been resolved: media: dvb-frontends: w7090p: fix null-ptr-deref in w7090p_tuner_write_serpar and w7090p_tuner_read_serpar In w7090p_tuner_write_serpar, msg is controlled by user. When msg[0].buf is null and msg[0].len is zero, former checks on msg[0].buf would be passed. If accessing msg[0].buf[2] without sanity check, null pointer deref would happen. We add check on msg[0].len to prevent crash. Similar commit: commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()")
Ubuntu USN	USN-7909-1	Linux kernel vulnerabilities
Ubuntu USN	USN-7909-2	Linux kernel (Real-time) vulnerabilities
Ubuntu USN	USN-7909-3	Linux kernel (FIPS) vulnerabilities
Ubuntu USN	USN-7910-1	Linux kernel (Azure FIPS) vulnerabilities
Ubuntu USN	USN-7909-4	Linux kernel vulnerabilities
Ubuntu USN	USN-7910-2	Linux kernel (Azure) vulnerabilities
Ubuntu USN	USN-7909-5	Linux kernel (Raspberry Pi) vulnerabilities
Ubuntu USN	USN-7933-1	Linux kernel (KVM) vulnerabilities
Ubuntu USN	USN-7938-1	Linux kernel (Azure) vulnerabilities
Ubuntu USN	USN-8028-1	Linux kernel vulnerabilities
Ubuntu USN	USN-8028-2	Linux kernel (Real-time) vulnerabilities
Ubuntu USN	USN-8031-1	Linux kernel (GCP) vulnerabilities
Ubuntu USN	USN-8028-3	Linux kernel (Real-time) vulnerabilities
Ubuntu USN	USN-8028-4	Linux kernel (FIPS) vulnerabilities
Ubuntu USN	USN-8028-5	Linux kernel vulnerabilities
Ubuntu USN	USN-8031-2	Linux kernel (GCP FIPS) vulnerabilities
Ubuntu USN	USN-8028-6	Linux kernel (HWE) vulnerabilities
Ubuntu USN	USN-8031-3	Linux kernel vulnerabilities
Ubuntu USN	USN-8052-1	Linux kernel (Low Latency) vulnerabilities
Ubuntu USN	USN-8028-7	Linux kernel (Low Latency NVIDIA) vulnerabilities
Ubuntu USN	USN-8028-8	Linux kernel (IBM) vulnerabilities
Ubuntu USN	USN-8052-2	Linux kernel (Xilinx) vulnerabilities
Ubuntu USN	USN-8074-1	Linux kernel (Azure) vulnerabilities
Ubuntu USN	USN-8074-2	Linux kernel (Azure FIPS) vulnerabilities
Ubuntu USN	USN-8126-1	Linux kernel (Azure) vulnerabilities

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00016.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/17b30e5ded062bd74f8ca6f317e1d415a8680665
https://git.kernel.org/stable/c/39b06b93f24dff923c4183d564ed28c039150554
https://git.kernel.org/stable/c/454a443eaa792c8865c861a282fe6d4f596abc3a
https://git.kernel.org/stable/c/6bbaec6a036940e22318f0454b50b8000845ab59
https://git.kernel.org/stable/c/7a41ecfc3415ebe3b4c44f96b3337691dcf431a3
https://git.kernel.org/stable/c/99690a494d91a0dc86cebd628da4c62c40552bcb
https://git.kernel.org/stable/c/b3d77a3fc71c084575d3df4ec6544b3fb6ce587d
https://git.kernel.org/stable/c/ed0234c8458b3149f15e496b48a1c9874dd24a1b
https://git.kernel.org/stable/c/f98132a59ccc59a8b97987363bc99c8968934756
https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html
https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html
https://nvd.nist.gov/vuln/detail/CVE-2025-38693
https://www.cve.org/CVERecord?id=CVE-2025-38693

History

Mon, 04 May 2026 09:30:00 +0000

Type	Values Removed	Values Added
References	https://git.kernel.org/stable/c/ddd1f0e0b6991e4f1b5d08a74de388564b7c4ac6

Sat, 18 Apr 2026 09:15:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/ddd1f0e0b6991e4f1b5d08a74de388564b7c4ac6

Fri, 09 Jan 2026 19:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Debian Debian debian Linux
Weaknesses		CWE-476
CPEs		cpe:2.3:o:debian:debian_linux:11.0:::::::*
Vendors & Products		Debian Debian debian Linux
Metrics		cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Fri, 02 Jan 2026 15:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:o:linux:linux_kernel::::::::

Mon, 03 Nov 2025 18:30:00 +0000

Type	Values Removed	Values Added
References		https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html

Fri, 05 Sep 2025 14:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Linux Linux linux Kernel
Vendors & Products		Linux Linux linux Kernel

Fri, 05 Sep 2025 00:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2025-38693 https://www.cve.org/CVERecord?id=CVE-2025-38693

Thu, 04 Sep 2025 15:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: media: dvb-frontends: w7090p: fix null-ptr-deref in w7090p_tuner_write_serpar and w7090p_tuner_read_serpar In w7090p_tuner_write_serpar, msg is controlled by user. When msg[0].buf is null and msg[0].len is zero, former checks on msg[0].buf would be passed. If accessing msg[0].buf[2] without sanity check, null pointer deref would happen. We add check on msg[0].len to prevent crash. Similar commit: commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()")
Title		media: dvb-frontends: w7090p: fix null-ptr-deref in w7090p_tuner_write_serpar and w7090p_tuner_read_serpar
References		https://git.kernel.org/stable/c/17b30e5ded062bd74f8ca6f317e1d415a8680665 https://git.kernel.org/stable/c/39b06b93f24dff923c4183d564ed28c039150554 https://git.kernel.org/stable/c/454a443eaa792c8865c861a282fe6d4f596abc3a https://git.kernel.org/stable/c/6bbaec6a036940e22318f0454b50b8000845ab59 https://git.kernel.org/stable/c/7a41ecfc3415ebe3b4c44f96b3337691dcf431a3 https://git.kernel.org/stable/c/99690a494d91a0dc86cebd628da4c62c40552bcb https://git.kernel.org/stable/c/b3d77a3fc71c084575d3df4ec6544b3fb6ce587d https://git.kernel.org/stable/c/ed0234c8458b3149f15e496b48a1c9874dd24a1b https://git.kernel.org/stable/c/f98132a59ccc59a8b97987363bc99c8968934756

Subscriptions

Debian Debian Linux

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2025-09-04T15:32:46.726Z

Updated: 2026-05-04T07:51:13.210Z

Reserved: 2025-04-16T04:51:24.032Z

Link: CVE-2025-38693

Vulnrichment

No data.

NVD

Status : Modified

Published: 2025-09-04T16:15:37.593

Modified: 2026-05-04T09:15:59.807

Link: CVE-2025-38693

Redhat

Severity :

Publid Date: 2025-09-04T15:32:46Z

Links: CVE-2025-38693 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-20T15:45:10Z

Weaknesses

CWE-476

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object