CVE-2025-22027

In the Linux kernel, the following vulnerability has been resolved: media: streamzap: fix race between device disconnection and urb callback Syzkaller has reported a general protection fault at function ir_raw_event_store_with_filter(). This crash is caused by a NULL pointer dereference of dev->raw pointer, even though it is checked for NULL in the same function, which means there is a race condition. It occurs due to the incorrect order of actions in the streamzap_disconnect() function: rc_unregister_device() is called before usb_kill_urb(). The dev->raw pointer is freed and set to NULL in rc_unregister_device(), and only after that usb_kill_urb() waits for in-progress requests to finish. If rc_unregister_device() is called while streamzap_callback() handler is not finished, this can lead to accessing freed resources. Thus rc_unregister_device() should be called after usb_kill_urb(). Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

CVSS v3 4.7 MEDIUM

4.7^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.0 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/15483afb930fc2f883702dc96f80efbe4055235e	Patch
https://git.kernel.org/stable/c/30ef7cfee752ca318d5902cb67b60d9797ccd378	Patch
https://git.kernel.org/stable/c/4db62b60af2ccdea6ac5452fd20e29587ed85f57	Patch
https://git.kernel.org/stable/c/8760da4b9d44c36b93b6e4cf401ec7fe520015bd	Patch
https://git.kernel.org/stable/c/adf0ddb914c9e5b3e50da4c97959e82de2df75c3	Patch
https://git.kernel.org/stable/c/e11652a6514ec805440c1bb3739e6c6236fffcc7	Patch
https://git.kernel.org/stable/c/f1d518c0bad01abe83c2df880274cb6a39f4a457	Patch
https://git.kernel.org/stable/c/f656cfbc7a293a039d6a0c7100e1c846845148c1	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

History

06 May 2025, 16:45

Type	Values Removed	Values Added
CWE		CWE-476 CWE-362
First Time		Linux linux Kernel Linux
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 4.7
CPE		cpe:2.3:o:linux:linux_kernel::::::::
References	~~() https://git.kernel.org/stable/c/15483afb930fc2f883702dc96f80efbe4055235e -~~	() https://git.kernel.org/stable/c/15483afb930fc2f883702dc96f80efbe4055235e - Patch
References	~~() https://git.kernel.org/stable/c/30ef7cfee752ca318d5902cb67b60d9797ccd378 -~~	() https://git.kernel.org/stable/c/30ef7cfee752ca318d5902cb67b60d9797ccd378 - Patch
References	~~() https://git.kernel.org/stable/c/4db62b60af2ccdea6ac5452fd20e29587ed85f57 -~~	() https://git.kernel.org/stable/c/4db62b60af2ccdea6ac5452fd20e29587ed85f57 - Patch
References	~~() https://git.kernel.org/stable/c/8760da4b9d44c36b93b6e4cf401ec7fe520015bd -~~	() https://git.kernel.org/stable/c/8760da4b9d44c36b93b6e4cf401ec7fe520015bd - Patch
References	~~() https://git.kernel.org/stable/c/adf0ddb914c9e5b3e50da4c97959e82de2df75c3 -~~	() https://git.kernel.org/stable/c/adf0ddb914c9e5b3e50da4c97959e82de2df75c3 - Patch
References	~~() https://git.kernel.org/stable/c/e11652a6514ec805440c1bb3739e6c6236fffcc7 -~~	() https://git.kernel.org/stable/c/e11652a6514ec805440c1bb3739e6c6236fffcc7 - Patch
References	~~() https://git.kernel.org/stable/c/f1d518c0bad01abe83c2df880274cb6a39f4a457 -~~	() https://git.kernel.org/stable/c/f1d518c0bad01abe83c2df880274cb6a39f4a457 - Patch
References	~~() https://git.kernel.org/stable/c/f656cfbc7a293a039d6a0c7100e1c846845148c1 -~~	() https://git.kernel.org/stable/c/f656cfbc7a293a039d6a0c7100e1c846845148c1 - Patch

02 May 2025, 07:15

Type	Values Removed	Values Added
References		() https://git.kernel.org/stable/c/e11652a6514ec805440c1bb3739e6c6236fffcc7 - () https://git.kernel.org/stable/c/f1d518c0bad01abe83c2df880274cb6a39f4a457 -
Summary		(es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: media: streamzap: fix race between device disconnection and urb callback Syzkaller ha informado de un fallo de protección general en la función ir_raw_event_store_with_filter(). Este fallo se debe a una desreferencia del puntero NULL del puntero dev->raw, aunque se comprueba si es NULL en la misma función, lo que significa que hay una condición de ejecución. Se produce debido al orden incorrecto de acciones en la función streamzap_disconnect(): se llama a rc_unregister_device() antes de usb_kill_urb(). El puntero dev->raw se libera y se establece en NULL en rc_unregister_device(), y solo después de eso, usb_kill_urb() espera a que finalicen las solicitudes en curso. Si se llama a rc_unregister_device() mientras el controlador streamzap_callback() no ha finalizado, esto puede provocar el acceso a los recursos liberados. Por lo tanto, rc_unregister_device() debe llamarse después de usb_kill_urb(). Encontrado por el Centro de Verificación de Linux (linuxtesting.org) con Syzkaller.

16 Apr 2025, 15:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-04-16 15:15

Updated : 2025-05-06 16:45

NVD link : CVE-2025-22027

Mitre link : CVE-2025-22027

CVE.ORG link : CVE-2025-22027

JSON object : View

Products Affected

linux

linux_kernel

CWE

CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CWE-476

NULL Pointer Dereference

{"id": "CVE-2025-22027", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.0}]}, "published": "2025-04-16T15:15:55.320", "references": [{"url": "https://git.kernel.org/stable/c/15483afb930fc2f883702dc96f80efbe4055235e", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/30ef7cfee752ca318d5902cb67b60d9797ccd378", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/4db62b60af2ccdea6ac5452fd20e29587ed85f57", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8760da4b9d44c36b93b6e4cf401ec7fe520015bd", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/adf0ddb914c9e5b3e50da4c97959e82de2df75c3", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e11652a6514ec805440c1bb3739e6c6236fffcc7", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f1d518c0bad01abe83c2df880274cb6a39f4a457", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f656cfbc7a293a039d6a0c7100e1c846845148c1", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-362"}, {"lang": "en", "value": "CWE-476"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: streamzap: fix race between device disconnection and urb callback\n\nSyzkaller has reported a general protection fault at function\nir_raw_event_store_with_filter(). This crash is caused by a NULL pointer\ndereference of dev->raw pointer, even though it is checked for NULL in\nthe same function, which means there is a race condition. It occurs due\nto the incorrect order of actions in the streamzap_disconnect() function:\nrc_unregister_device() is called before usb_kill_urb(). The dev->raw\npointer is freed and set to NULL in rc_unregister_device(), and only\nafter that usb_kill_urb() waits for in-progress requests to finish.\n\nIf rc_unregister_device() is called while streamzap_callback() handler is\nnot finished, this can lead to accessing freed resources. Thus\nrc_unregister_device() should be called after usb_kill_urb().\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: media: streamzap: fix race between device disconnection and urb callback Syzkaller ha informado de un fallo de protecci\u00f3n general en la funci\u00f3n ir_raw_event_store_with_filter(). Este fallo se debe a una desreferencia del puntero NULL del puntero dev->raw, aunque se comprueba si es NULL en la misma funci\u00f3n, lo que significa que hay una condici\u00f3n de ejecuci\u00f3n. Se produce debido al orden incorrecto de acciones en la funci\u00f3n streamzap_disconnect(): se llama a rc_unregister_device() antes de usb_kill_urb(). El puntero dev->raw se libera y se establece en NULL en rc_unregister_device(), y solo despu\u00e9s de eso, usb_kill_urb() espera a que finalicen las solicitudes en curso. Si se llama a rc_unregister_device() mientras el controlador streamzap_callback() no ha finalizado, esto puede provocar el acceso a los recursos liberados. Por lo tanto, rc_unregister_device() debe llamarse despu\u00e9s de usb_kill_urb(). Encontrado por el Centro de Verificaci\u00f3n de Linux (linuxtesting.org) con Syzkaller."}], "lastModified": "2025-05-06T16:45:53.407", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0A01C068-E90F-49D2-B490-2D8DC5870FC9", "versionEndExcluding": "6.1.134", "versionStartIncluding": "2.6.36"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EFF24260-49B1-4251-9477-C564CFDAD25B", "versionEndExcluding": "6.6.87", "versionStartIncluding": "6.2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "26CAB76D-F00F-43CE-BEAD-7097F8FB1D6C", "versionEndExcluding": "6.12.23", "versionStartIncluding": "6.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E7E864B0-8C00-4679-BA55-659B4C9C3AD3", "versionEndExcluding": "6.13.11", "versionStartIncluding": "6.13"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FADAE5D8-4808-442C-B218-77B2CE8780A0", "versionEndExcluding": "6.14.2", "versionStartIncluding": "6.14"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}

4.7 /10