{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-40165", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-04-16T07:20:57.176Z", "datePublished": "2025-11-12T10:26:23.806Z", "dateUpdated": "2025-12-01T06:19:18.430Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-12-01T06:19:18.430Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: nxp: imx8-isi: m2m: Fix streaming cleanup on release\n\nIf streamon/streamoff calls are imbalanced, such as when exiting an\napplication with Ctrl+C when streaming, the m2m usage_count will never\nreach zero and the ISI channel won't be freed. Besides from that, if the\ninput line width is more than 2K, it will trigger a WARN_ON():\n\n[ 59.222120] ------------[ cut here ]------------\n[ 59.226758] WARNING: drivers/media/platform/nxp/imx8-isi/imx8-isi-hw.c:631 at mxc_isi_channel_chain+0xa4/0x120, CPU#4: v4l2-ctl/654\n[ 59.238569] Modules linked in: ap1302\n[ 59.242231] CPU: 4 UID: 0 PID: 654 Comm: v4l2-ctl Not tainted 6.16.0-rc4-next-20250704-06511-gff0e002d480a-dirty #258 PREEMPT\n[ 59.253597] Hardware name: NXP i.MX95 15X15 board (DT)\n[ 59.258720] pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 59.265669] pc : mxc_isi_channel_chain+0xa4/0x120\n[ 59.270358] lr : mxc_isi_channel_chain+0x44/0x120\n[ 59.275047] sp : ffff8000848c3b40\n[ 59.278348] x29: ffff8000848c3b40 x28: ffff0000859b4c98 x27: ffff800081939f00\n[ 59.285472] x26: 000000000000000a x25: ffff0000859b4cb8 x24: 0000000000000001\n[ 59.292597] x23: ffff0000816f4760 x22: ffff0000816f4258 x21: ffff000084ceb780\n[ 59.299720] x20: ffff000084342ff8 x19: ffff000084340000 x18: 0000000000000000\n[ 59.306845] x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffffdb369e1c\n[ 59.313969] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000\n[ 59.321093] x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000\n[ 59.328217] x8 : ffff8000848c3d48 x7 : ffff800081930b30 x6 : ffff800081930b30\n[ 59.335340] x5 : ffff0000859b6000 x4 : ffff80008193ae80 x3 : ffff800081022420\n[ 59.342464] x2 : ffff0000852f6900 x1 : 0000000000000001 x0 : ffff000084341000\n[ 59.349590] Call trace:\n[ 59.352025] mxc_isi_channel_chain+0xa4/0x120 (P)\n[ 59.356722] mxc_isi_m2m_streamon+0x160/0x20c\n[ 59.361072] v4l_streamon+0x24/0x30\n[ 59.364556] __video_do_ioctl+0x40c/0x4a0\n[ 59.368560] video_usercopy+0x2bc/0x690\n[ 59.372382] video_ioctl2+0x18/0x24\n[ 59.375857] v4l2_ioctl+0x40/0x60\n[ 59.379168] __arm64_sys_ioctl+0xac/0x104\n[ 59.383172] invoke_syscall+0x48/0x104\n[ 59.386916] el0_svc_common.constprop.0+0xc0/0xe0\n[ 59.391613] do_el0_svc+0x1c/0x28\n[ 59.394915] el0_svc+0x34/0xf4\n[ 59.397966] el0t_64_sync_handler+0xa0/0xe4\n[ 59.402143] el0t_64_sync+0x198/0x19c\n[ 59.405801] ---[ end trace 0000000000000000 ]---\n\nAddress this issue by moving the streaming preparation and cleanup to\nthe vb2 .prepare_streaming() and .unprepare_streaming() operations. This\nalso simplifies the driver by allowing direct usage of the\nv4l2_m2m_ioctl_streamon() and v4l2_m2m_ioctl_streamoff() helpers."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/media/platform/nxp/imx8-isi/imx8-isi-m2m.c"], "versions": [{"version": "cf21f328fcafacf4f96e7a30ef9dceede1076378", "lessThan": "50c721be2cff2bf8c9a5f1f4add35c2bbb1df302", "status": "affected", "versionType": "git"}, {"version": "cf21f328fcafacf4f96e7a30ef9dceede1076378", "lessThan": "e8b5f4d80775835cf8192d65138e9be1ff202847", "status": "affected", "versionType": "git"}, {"version": "cf21f328fcafacf4f96e7a30ef9dceede1076378", "lessThan": "b0d438c7b43314f9128e0dda5f83789e593e684a", "status": "affected", "versionType": "git"}, {"version": "cf21f328fcafacf4f96e7a30ef9dceede1076378", "lessThan": "178aa3360220231dd91e7dbc2eb984525886c9c1", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/media/platform/nxp/imx8-isi/imx8-isi-m2m.c"], "versions": [{"version": "6.4", "status": "affected"}, {"version": "0", "lessThan": "6.4", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.114", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.55", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.17.5", "lessThanOrEqual": "6.17.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4", "versionEndExcluding": "6.6.114"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4", "versionEndExcluding": "6.12.55"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4", "versionEndExcluding": "6.17.5"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4", "versionEndExcluding": "6.18"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/50c721be2cff2bf8c9a5f1f4add35c2bbb1df302"}, {"url": "https://git.kernel.org/stable/c/e8b5f4d80775835cf8192d65138e9be1ff202847"}, {"url": "https://git.kernel.org/stable/c/b0d438c7b43314f9128e0dda5f83789e593e684a"}, {"url": "https://git.kernel.org/stable/c/178aa3360220231dd91e7dbc2eb984525886c9c1"}], "title": "media: nxp: imx8-isi: m2m: Fix streaming cleanup on release", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: nxp: imx8-isi: m2m: Fix streaming cleanup on release\n\nIf streamon/streamoff calls are imbalanced, such as when exiting an\napplication with Ctrl+C when streaming, the m2m usage_count will never\nreach zero and the ISI channel won't be freed. Besides from that, if the\ninput line width is more than 2K, it will trigger a WARN_ON():\n\n[ 59.222120] ------------[ cut here ]------------\n[ 59.226758] WARNING: drivers/media/platform/nxp/imx8-isi/imx8-isi-hw.c:631 at mxc_isi_channel_chain+0xa4/0x120, CPU#4: v4l2-ctl/654\n[ 59.238569] Modules linked in: ap1302\n[ 59.242231] CPU: 4 UID: 0 PID: 654 Comm: v4l2-ctl Not tainted 6.16.0-rc4-next-20250704-06511-gff0e002d480a-dirty #258 PREEMPT\n[ 59.253597] Hardware name: NXP i.MX95 15X15 board (DT)\n[ 59.258720] pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 59.265669] pc : mxc_isi_channel_chain+0xa4/0x120\n[ 59.270358] lr : mxc_isi_channel_chain+0x44/0x120\n[ 59.275047] sp : ffff8000848c3b40\n[ 59.278348] x29: ffff8000848c3b40 x28: ffff0000859b4c98 x27: ffff800081939f00\n[ 59.285472] x26: 000000000000000a x25: ffff0000859b4cb8 x24: 0000000000000001\n[ 59.292597] x23: ffff0000816f4760 x22: ffff0000816f4258 x21: ffff000084ceb780\n[ 59.299720] x20: ffff000084342ff8 x19: ffff000084340000 x18: 0000000000000000\n[ 59.306845] x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffffdb369e1c\n[ 59.313969] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000\n[ 59.321093] x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000\n[ 59.328217] x8 : ffff8000848c3d48 x7 : ffff800081930b30 x6 : ffff800081930b30\n[ 59.335340] x5 : ffff0000859b6000 x4 : ffff80008193ae80 x3 : ffff800081022420\n[ 59.342464] x2 : ffff0000852f6900 x1 : 0000000000000001 x0 : ffff000084341000\n[ 59.349590] Call trace:\n[ 59.352025] mxc_isi_channel_chain+0xa4/0x120 (P)\n[ 59.356722] mxc_isi_m2m_streamon+0x160/0x20c\n[ 59.361072] v4l_streamon+0x24/0x30\n[ 59.364556] __video_do_ioctl+0x40c/0x4a0\n[ 59.368560] video_usercopy+0x2bc/0x690\n[ 59.372382] video_ioctl2+0x18/0x24\n[ 59.375857] v4l2_ioctl+0x40/0x60\n[ 59.379168] __arm64_sys_ioctl+0xac/0x104\n[ 59.383172] invoke_syscall+0x48/0x104\n[ 59.386916] el0_svc_common.constprop.0+0xc0/0xe0\n[ 59.391613] do_el0_svc+0x1c/0x28\n[ 59.394915] el0_svc+0x34/0xf4\n[ 59.397966] el0t_64_sync_handler+0xa0/0xe4\n[ 59.402143] el0t_64_sync+0x198/0x19c\n[ 59.405801] ---[ end trace 0000000000000000 ]---\n\nAddress this issue by moving the streaming preparation and cleanup to\nthe vb2 .prepare_streaming() and .unprepare_streaming() operations. This\nalso simplifies the driver by allowing direct usage of the\nv4l2_m2m_ioctl_streamon() and v4l2_m2m_ioctl_streamoff() helpers."}], "id": "CVE-2025-40165", "lastModified": "2025-11-12T16:19:12.850", "metrics": {}, "published": "2025-11-12T11:15:46.763", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/178aa3360220231dd91e7dbc2eb984525886c9c1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/50c721be2cff2bf8c9a5f1f4add35c2bbb1df302"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/b0d438c7b43314f9128e0dda5f83789e593e684a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e8b5f4d80775835cf8192d65138e9be1ff202847"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: media: nxp: imx8-isi: m2m: Fix streaming cleanup on release", "id": "2414497", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2414497"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nmedia: nxp: imx8-isi: m2m: Fix streaming cleanup on release\nIf streamon/streamoff calls are imbalanced, such as when exiting an\napplication with Ctrl+C when streaming, the m2m usage_count will never\nreach zero and the ISI channel won't be freed. Besides from that, if the\ninput line width is more than 2K, it will trigger a WARN_ON():\n[ 59.222120] ------------[ cut here ]------------\n[ 59.226758] WARNING: drivers/media/platform/nxp/imx8-isi/imx8-isi-hw.c:631 at mxc_isi_channel_chain+0xa4/0x120, CPU#4: v4l2-ctl/654\n[ 59.238569] Modules linked in: ap1302\n[ 59.242231] CPU: 4 UID: 0 PID: 654 Comm: v4l2-ctl Not tainted 6.16.0-rc4-next-20250704-06511-gff0e002d480a-dirty #258 PREEMPT\n[ 59.253597] Hardware name: NXP i.MX95 15X15 board (DT)\n[ 59.258720] pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 59.265669] pc : mxc_isi_channel_chain+0xa4/0x120\n[ 59.270358] lr : mxc_isi_channel_chain+0x44/0x120\n[ 59.275047] sp : ffff8000848c3b40\n[ 59.278348] x29: ffff8000848c3b40 x28: ffff0000859b4c98 x27: ffff800081939f00\n[ 59.285472] x26: 000000000000000a x25: ffff0000859b4cb8 x24: 0000000000000001\n[ 59.292597] x23: ffff0000816f4760 x22: ffff0000816f4258 x21: ffff000084ceb780\n[ 59.299720] x20: ffff000084342ff8 x19: ffff000084340000 x18: 0000000000000000\n[ 59.306845] x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffffdb369e1c\n[ 59.313969] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000\n[ 59.321093] x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000\n[ 59.328217] x8 : ffff8000848c3d48 x7 : ffff800081930b30 x6 : ffff800081930b30\n[ 59.335340] x5 : ffff0000859b6000 x4 : ffff80008193ae80 x3 : ffff800081022420\n[ 59.342464] x2 : ffff0000852f6900 x1 : 0000000000000001 x0 : ffff000084341000\n[ 59.349590] Call trace:\n[ 59.352025] mxc_isi_channel_chain+0xa4/0x120 (P)\n[ 59.356722] mxc_isi_m2m_streamon+0x160/0x20c\n[ 59.361072] v4l_streamon+0x24/0x30\n[ 59.364556] __video_do_ioctl+0x40c/0x4a0\n[ 59.368560] video_usercopy+0x2bc/0x690\n[ 59.372382] video_ioctl2+0x18/0x24\n[ 59.375857] v4l2_ioctl+0x40/0x60\n[ 59.379168] __arm64_sys_ioctl+0xac/0x104\n[ 59.383172] invoke_syscall+0x48/0x104\n[ 59.386916] el0_svc_common.constprop.0+0xc0/0xe0\n[ 59.391613] do_el0_svc+0x1c/0x28\n[ 59.394915] el0_svc+0x34/0xf4\n[ 59.397966] el0t_64_sync_handler+0xa0/0xe4\n[ 59.402143] el0t_64_sync+0x198/0x19c\n[ 59.405801] ---[ end trace 0000000000000000 ]---\nAddress this issue by moving the streaming preparation and cleanup to\nthe vb2 .prepare_streaming() and .unprepare_streaming() operations. This\nalso simplifies the driver by allowing direct usage of the\nv4l2_m2m_ioctl_streamon() and v4l2_m2m_ioctl_streamoff() helpers."], "name": "CVE-2025-40165", "public_date": "2025-11-12T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-40165\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-40165\nhttps://lore.kernel.org/linux-cve-announce/2025111227-CVE-2025-40165-872c@gregkh/T"], "threat_severity": "Moderate"}

{"created": "2025-11-12T22:12:52.456067+00:00", "updated": "2025-11-12T22:12:52.456092+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}