Executive Summary

Informations
Name CVE-2025-22027 First vendor Publication 2025-04-16
Vendor Cve Last vendor Modification 2025-05-06

Security-Database Scoring CVSS v3

Cvss vector : CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Overall CVSS Score 4.7
Base Score 4.7 Environmental Score 4.7
impact SubScore 3.6 Temporal Score 4.7
Exploitabality Sub Score 1
 
Attack Vector Local Attack Complexity High
Privileges Required Low User Interaction None
Scope Unchanged Confidentiality Impact None
Integrity Impact None Availability Impact High
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector :
Cvss Base Score N/A Attack Range N/A
Cvss Impact Score N/A Attack Complexity N/A
Cvss Expoit Score N/A Authentication N/A
Calculate full CVSS 2.0 Vectors scores

Detail

In the Linux kernel, the following vulnerability has been resolved:

media: streamzap: fix race between device disconnection and urb callback

Syzkaller has reported a general protection fault at function ir_raw_event_store_with_filter(). This crash is caused by a NULL pointer dereference of dev->raw pointer, even though it is checked for NULL in the same function, which means there is a race condition. It occurs due to the incorrect order of actions in the streamzap_disconnect() function: rc_unregister_device() is called before usb_kill_urb(). The dev->raw pointer is freed and set to NULL in rc_unregister_device(), and only after that usb_kill_urb() waits for in-progress requests to finish.

If rc_unregister_device() is called while streamzap_callback() handler is not finished, this can lead to accessing freed resources. Thus rc_unregister_device() should be called after usb_kill_urb().

Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22027

CWE : Common Weakness Enumeration

% Id Name
50 % CWE-476 NULL Pointer Dereference
50 % CWE-362 Race Condition

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 8
Os 3718

Sources (Detail)

https://git.kernel.org/stable/c/15483afb930fc2f883702dc96f80efbe4055235e
https://git.kernel.org/stable/c/30ef7cfee752ca318d5902cb67b60d9797ccd378
https://git.kernel.org/stable/c/4db62b60af2ccdea6ac5452fd20e29587ed85f57
https://git.kernel.org/stable/c/8760da4b9d44c36b93b6e4cf401ec7fe520015bd
https://git.kernel.org/stable/c/adf0ddb914c9e5b3e50da4c97959e82de2df75c3
https://git.kernel.org/stable/c/e11652a6514ec805440c1bb3739e6c6236fffcc7
https://git.kernel.org/stable/c/f1d518c0bad01abe83c2df880274cb6a39f4a457
https://git.kernel.org/stable/c/f656cfbc7a293a039d6a0c7100e1c846845148c1
Source Url

Alert History

If you want to see full details history, please login or register.
0
1
2
3
Date Informations
2025-06-26 02:41:19
  • Multiple Updates
2025-06-25 12:38:24
  • Multiple Updates
2025-06-24 02:45:44
  • Multiple Updates
2025-05-27 02:54:44
  • First insertion