CVE-2025-68175 - Vulnerability Details

- media: nxp: imx8-isi: Fix streaming cleanup on release

Description

In the Linux kernel, the following vulnerability has been resolved:

media: nxp: imx8-isi: Fix streaming cleanup on release

The current implementation unconditionally calls
mxc_isi_video_cleanup_streaming() in mxc_isi_video_release(). This can
lead to situations where any release call (like from a simple
"v4l2-ctl -l") may release a currently streaming queue when called on
such a device.

This is reproducible on an i.MX8MP board by streaming from an ISI
capture device using gstreamer:

gst-launch-1.0 -v v4l2src device=/dev/videoX ! \
video/x-raw,format=GRAY8,width=1280,height=800,framerate=1/120 ! \
fakesink

While this stream is running, querying the caps of the same device
provokes the error state:

v4l2-ctl -l -d /dev/videoX

This results in the following trace:

[ 155.452152] ------------[ cut here ]------------
[ 155.452163] WARNING: CPU: 0 PID: 1708 at drivers/media/platform/nxp/imx8-isi/imx8-isi-pipe.c:713 mxc_isi_pipe_irq_handler+0x19c/0x1b0 [imx8_isi]
[ 157.004248] Modules linked in: cfg80211 rpmsg_ctrl rpmsg_char rpmsg_tty virtio_rpmsg_bus rpmsg_ns rpmsg_core rfkill nft_ct nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables mcp251x6
[ 157.053499] CPU: 0 UID: 0 PID: 1708 Comm: python3 Not tainted 6.15.4-00114-g1f61ca5cad76 #1 PREEMPT
[ 157.064369] Hardware name: imx8mp_board_01 (DT)
[ 157.068205] pstate: 400000c5 (nZcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 157.075169] pc : mxc_isi_pipe_irq_handler+0x19c/0x1b0 [imx8_isi]
[ 157.081195] lr : mxc_isi_pipe_irq_handler+0x38/0x1b0 [imx8_isi]
[ 157.087126] sp : ffff800080003ee0
[ 157.090438] x29: ffff800080003ee0 x28: ffff0000c3688000 x27: 0000000000000000
[ 157.097580] x26: 0000000000000000 x25: ffff0000c1e7ac00 x24: ffff800081b5ad50
[ 157.104723] x23: 00000000000000d1 x22: 0000000000000000 x21: ffff0000c25e4000
[ 157.111866] x20: 0000000060000200 x19: ffff80007a0608d0 x18: 0000000000000000
[ 157.119008] x17: ffff80006a4e3000 x16: ffff800080000000 x15: 0000000000000000
[ 157.126146] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000
[ 157.133287] x11: 0000000000000040 x10: ffff0000c01445f0 x9 : ffff80007a053a38
[ 157.140425] x8 : ffff0000c04004b8 x7 : 0000000000000000 x6 : 0000000000000000
[ 157.147567] x5 : ffff0000c0400490 x4 : ffff80006a4e3000 x3 : ffff0000c25e4000
[ 157.154706] x2 : 0000000000000000 x1 : ffff8000825c0014 x0 : 0000000060000200
[ 157.161850] Call trace:
[ 157.164296] mxc_isi_pipe_irq_handler+0x19c/0x1b0 [imx8_isi] (P)
[ 157.170319] __handle_irq_event_percpu+0x58/0x218
[ 157.175029] handle_irq_event+0x54/0xb8
[ 157.178867] handle_fasteoi_irq+0xac/0x248
[ 157.182968] handle_irq_desc+0x48/0x68
[ 157.186723] generic_handle_domain_irq+0x24/0x38
[ 157.191346] gic_handle_irq+0x54/0x120
[ 157.195098] call_on_irq_stack+0x24/0x30
[ 157.199027] do_interrupt_handler+0x88/0x98
[ 157.203212] el0_interrupt+0x44/0xc0
[ 157.206792] __el0_irq_handler_common+0x18/0x28
[ 157.211328] el0t_64_irq_handler+0x10/0x20
[ 157.215429] el0t_64_irq+0x198/0x1a0
[ 157.219009] ---[ end trace 0000000000000000 ]---

Address this issue by moving the streaming preparation and cleanup to
the vb2 .prepare_streaming() and .unprepare_streaming() operations. This
also simplifies the driver by allowing direct usage of the
vb2_ioctl_streamon() and vb2_ioctl_streamoff() helpers, and removal of
the manual cleanup from mxc_isi_video_release().

Published: 2025-12-16

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A bug in the Linux kernel driver for the i.MX8ISi platform causes the driver to unconditionally purge the streaming queue when the device is released. The flaw can be triggered by simple commands such as "v4l2-ctl -l" issued during an active stream, leading to a kernel oops. The impact is a local denial of service because the kernel panic destroys integrity and availability of the full system, but it does not compromise confidentiality or expose data. The weakness is a failure to perform proper resource cleanup, which is reflected in the typical CWE category for improper resource management.

Affected Systems

The affected product is the Linux kernel used on i.MX8MP boards and any other systems that load the driver from the nxp:imx8-isi media subsystem. The Vendor list lists only Linux; specific version information is not provided in the advisory, but the fix is present in kernel revisions that incorporate the change described in the commit series referenced in the CVE references.

Risk and Exploitability

The EPSS score is below 1 %, indicating that exploitation is unlikely in the wild, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, anyone who streams media with the imx8-isi driver and meanwhile queries the device’s capabilities or otherwise releases the device will experience a local denial of service. The attack vector is local via normal user commands; no network exposure is required.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`cf21f328fcafacf4f96e7a30ef9dceede1076378`	affected	< a2008925ed7361d69f92f63f0a779c300432610a
`cf21f328fcafacf4f96e7a30ef9dceede1076378`	affected	< 029914306b93b37c6e7060793d2b6f76b935cfa6
`cf21f328fcafacf4f96e7a30ef9dceede1076378`	affected	< 47773031a148ad7973b809cc7723cba77eda2b42

Linux

affected

Version	Status	Constraints
`6.4`	affected	—
`0`	unaffected	< 6.4
`6.12.80`	unaffected	≤ 6.12.*
`6.17.8`	unaffected	≤ 6.17.*
`6.18`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a release that includes the imx8‑isi driver fix described in the commit series provided in the advisory.
Ensure that no tool or script performs a device release or queries device capabilities while an ISI stream is active. If such actions are required, pause the stream before initiating the release operation.
Continuously monitor kernel logs for "imx8_isi" errors or warnings and verify that the crash has been resolved after the kernel update.

Generated by OpenCVE AI on April 28, 2026 at 10:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Ubuntu USN	USN-8029-1	Linux kernel vulnerabilities
Ubuntu USN	USN-8030-1	Linux kernel (GCP) vulnerabilities
Ubuntu USN	USN-8029-2	Linux kernel vulnerabilities
Ubuntu USN	USN-8048-1	Linux kernel (OEM) vulnerabilities
Ubuntu USN	USN-8029-3	Linux kernel (Azure) vulnerabilities

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00032.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/029914306b93b37c6e7060793d2b6f76b935cfa6
https://git.kernel.org/stable/c/47773031a148ad7973b809cc7723cba77eda2b42
https://git.kernel.org/stable/c/a2008925ed7361d69f92f63f0a779c300432610a
https://lore.kernel.org/linux-cve-announce/2025121629-CVE-2025-68175-d545@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2025-68175
https://www.cve.org/CVERecord?id=CVE-2025-68175

History

Tue, 28 Apr 2026 10:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-404 CWE-773

Thu, 02 Apr 2026 11:45:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/a2008925ed7361d69f92f63f0a779c300432610a

Wed, 17 Dec 2025 12:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2025121629-CVE-2025-68175-d545@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2025-68175 https://www.cve.org/CVERecord?id=CVE-2025-68175

Tue, 16 Dec 2025 14:00:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: media: nxp: imx8-isi: Fix streaming cleanup on release The current implementation unconditionally calls mxc_isi_video_cleanup_streaming() in mxc_isi_video_release(). This can lead to situations where any release call (like from a simple "v4l2-ctl -l") may release a currently streaming queue when called on such a device. This is reproducible on an i.MX8MP board by streaming from an ISI capture device using gstreamer: gst-launch-1.0 -v v4l2src device=/dev/videoX ! \ video/x-raw,format=GRAY8,width=1280,height=800,framerate=1/120 ! \ fakesink While this stream is running, querying the caps of the same device provokes the error state: v4l2-ctl -l -d /dev/videoX This results in the following trace: [ 155.452152] ------------[ cut here ]------------ [ 155.452163] WARNING: CPU: 0 PID: 1708 at drivers/media/platform/nxp/imx8-isi/imx8-isi-pipe.c:713 mxc_isi_pipe_irq_handler+0x19c/0x1b0 [imx8_isi] [ 157.004248] Modules linked in: cfg80211 rpmsg_ctrl rpmsg_char rpmsg_tty virtio_rpmsg_bus rpmsg_ns rpmsg_core rfkill nft_ct nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables mcp251x6 [ 157.053499] CPU: 0 UID: 0 PID: 1708 Comm: python3 Not tainted 6.15.4-00114-g1f61ca5cad76 #1 PREEMPT [ 157.064369] Hardware name: imx8mp_board_01 (DT) [ 157.068205] pstate: 400000c5 (nZcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 157.075169] pc : mxc_isi_pipe_irq_handler+0x19c/0x1b0 [imx8_isi] [ 157.081195] lr : mxc_isi_pipe_irq_handler+0x38/0x1b0 [imx8_isi] [ 157.087126] sp : ffff800080003ee0 [ 157.090438] x29: ffff800080003ee0 x28: ffff0000c3688000 x27: 0000000000000000 [ 157.097580] x26: 0000000000000000 x25: ffff0000c1e7ac00 x24: ffff800081b5ad50 [ 157.104723] x23: 00000000000000d1 x22: 0000000000000000 x21: ffff0000c25e4000 [ 157.111866] x20: 0000000060000200 x19: ffff80007a0608d0 x18: 0000000000000000 [ 157.119008] x17: ffff80006a4e3000 x16: ffff800080000000 x15: 0000000000000000 [ 157.126146] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 [ 157.133287] x11: 0000000000000040 x10: ffff0000c01445f0 x9 : ffff80007a053a38 [ 157.140425] x8 : ffff0000c04004b8 x7 : 0000000000000000 x6 : 0000000000000000 [ 157.147567] x5 : ffff0000c0400490 x4 : ffff80006a4e3000 x3 : ffff0000c25e4000 [ 157.154706] x2 : 0000000000000000 x1 : ffff8000825c0014 x0 : 0000000060000200 [ 157.161850] Call trace: [ 157.164296] mxc_isi_pipe_irq_handler+0x19c/0x1b0 [imx8_isi] (P) [ 157.170319] __handle_irq_event_percpu+0x58/0x218 [ 157.175029] handle_irq_event+0x54/0xb8 [ 157.178867] handle_fasteoi_irq+0xac/0x248 [ 157.182968] handle_irq_desc+0x48/0x68 [ 157.186723] generic_handle_domain_irq+0x24/0x38 [ 157.191346] gic_handle_irq+0x54/0x120 [ 157.195098] call_on_irq_stack+0x24/0x30 [ 157.199027] do_interrupt_handler+0x88/0x98 [ 157.203212] el0_interrupt+0x44/0xc0 [ 157.206792] __el0_irq_handler_common+0x18/0x28 [ 157.211328] el0t_64_irq_handler+0x10/0x20 [ 157.215429] el0t_64_irq+0x198/0x1a0 [ 157.219009] ---[ end trace 0000000000000000 ]--- Address this issue by moving the streaming preparation and cleanup to the vb2 .prepare_streaming() and .unprepare_streaming() operations. This also simplifies the driver by allowing direct usage of the vb2_ioctl_streamon() and vb2_ioctl_streamoff() helpers, and removal of the manual cleanup from mxc_isi_video_release().
Title		media: nxp: imx8-isi: Fix streaming cleanup on release
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/029914306b93b37c6e7060793d2b6f76b935cfa6 https://git.kernel.org/stable/c/47773031a148ad7973b809cc7723cba77eda2b42

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2025-12-16T13:42:54.913Z

Updated: 2026-04-02T11:30:44.960Z

Reserved: 2025-12-16T13:41:40.251Z

Link: CVE-2025-68175

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2025-12-16T14:15:49.433

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-68175

Redhat

Severity :

Publid Date: 2025-12-16T00:00:00Z

Links: CVE-2025-68175 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-28T10:15:28Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object