CVE-2025-38229— media: cxusb: no longer judge rbuf when the write fails
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-38229
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
media: cxusb: no longer judge rbuf when the write fails
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: media: cxusb: no longer judge rbuf when the write fails syzbot reported a uninit-value in cxusb_i2c_xfer. [1] Only when the write operation of usb_bulk_msg() in dvb_usb_generic_rw() succeeds and rlen is greater than 0, the read operation of usb_bulk_msg() will be executed to read rlen bytes of data from the dvb device into the rbuf. In this case, although rlen is 1, the write operation failed which resulted in the dvb read operation not being executed, and ultimately variable i was not initialized. [1] BUG: KMSAN: uninit-value in cxusb_gpio_tuner drivers/media/usb/dvb-usb/cxusb.c:124 [inline] BUG: KMSAN: uninit-value in cxusb_i2c_xfer+0x153a/0x1a60 drivers/media/usb/dvb-usb/cxusb.c:196 cxusb_gpio_tuner drivers/media/usb/dvb-usb/cxusb.c:124 [inline] cxusb_i2c_xfer+0x153a/0x1a60 drivers/media/usb/dvb-usb/cxusb.c:196 __i2c_transfer+0xe25/0x3150 drivers/i2c/i2c-core-base.c:-1 i2c_transfer+0x317/0x4a0 drivers/i2c/i2c-core-base.c:2315 i2c_transfer_buffer_flags+0x125/0x1e0 drivers/i2c/i2c-core-base.c:2343 i2c_master_send include/linux/i2c.h:109 [inline] i2cdev_write+0x210/0x280 drivers/i2c/i2c-dev.c:183 do_loop_readv_writev fs/read_write.c:848 [inline] vfs_writev+0x963/0x14e0 fs/read_write.c:1057 do_writev+0x247/0x5c0 fs/read_write.c:1101 __do_sys_writev fs/read_write.c:1169 [inline] __se_sys_writev fs/read_write.c:1166 [inline] __x64_sys_writev+0x98/0xe0 fs/read_write.c:1166 x64_sys_call+0x2229/0x3c80 arch/x86/include/generated/asm/syscalls_64.h:21 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x1e0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于cxusb驱动在写入失败时错误判断rbuf状态,可能导致未初始化值使用。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2025-38229
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-38229
请登录查看更多情报信息。
Same Patch Batch · Linux · 2025-07-04 · 59 CVEs total
| CVE-2025-38215 | fbdev: Fix do_register_framebuffer to prevent null-ptr-deref in fb_videomode_to_var | |
| CVE-2025-38227 | media: vidtv: Terminating the subsequent process of initialization failure | |
| CVE-2025-38231 | nfsd: Initialize ssc before laundromat_work to prevent NULL dereference | |
| CVE-2025-38230 | jfs: validate AG parameters in dbMount() to prevent crashes | |
| CVE-2025-38228 | media: imagination: fix a potential memory leak in e5010_probe() | |
| CVE-2025-38233 | powerpc64/ftrace: fix clobbered r15 during livepatching | |
| CVE-2025-38219 | f2fs: prevent kernel warning due to negative i_nlink from corrupted image | |
| CVE-2025-38218 | f2fs: fix to do sanity check on sit_bitmap_size | |
| CVE-2025-38217 | hwmon: (ftsteutates) Fix TOCTOU race in fts_read() | |
| CVE-2025-38216 | iommu/vt-d: Restore context entry setup order for aliased devices | |
| CVE-2025-38221 | ext4: fix out of bounds punch offset | |
| CVE-2025-38214 | fbdev: Fix fb_set_var to prevent null-ptr-deref in fb_videomode_to_var | |
| CVE-2025-38212 | ipc: fix to protect IPCS lookups using RCU | |
| CVE-2025-38211 | RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction | |
| CVE-2025-38210 | configfs-tsm-report: Fix NULL dereference of tsm_ops | |
| CVE-2025-38209 | nvme-tcp: remove tag set when second admin queue config fails | |
| CVE-2025-38208 | smb: client: add NULL check in automount_fullpath | |
| CVE-2025-38207 | mm: fix uprobe pte be overwritten when expanding vma | |
| CVE-2025-38206 | exfat: fix double free in delayed_free | |
| CVE-2025-38205 | drm/amd/display: Avoid divide by zero by initializing dummy pitch to 1 |
Showing top 20 of 59 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same product: Linux
- CVE-2026-43500
rxrpc: Also unshare DATA/RESPONSE packets when paged frags a - CVE-2026-43475
scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT - CVE-2026-43474
fs: init flags_valid before calling vfs_fileattr_get - CVE-2026-43473
scsi: mpi3mr: Add NULL checks when resetting request and rep - CVE-2026-43472
unshare: fix unshare_fs() handling
Same vendor: Linux
- CVE-2026-43500
rxrpc: Also unshare DATA/RESPONSE packets when paged frags a - CVE-2026-43475
scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT - CVE-2026-43474
fs: init flags_valid before calling vfs_fileattr_get - CVE-2026-43473
scsi: mpi3mr: Add NULL checks when resetting request and rep - CVE-2026-43472
unshare: fix unshare_fs() handling
V. Comments for CVE-2025-38229
No comments yet