CVE-2025-22028 in Linuxinfo

Summary

by MITRE • 04/16/2025

In the Linux kernel, the following vulnerability has been resolved:

media: vimc: skip .s_stream() for stopped entities

Syzbot reported [1] a warning prompted by a check in call_s_stream()
that checks whether .s_stream() operation is warranted for unstarted or stopped subdevs.

Add a simple fix in vimc_streamer_pipeline_terminate() ensuring that entities skip a call to .s_stream() unless they have been previously properly started.

[1] Syzbot report:
------------[ cut here ]------------
WARNING: CPU: 0 PID: 5933 at drivers/media/v4l2-core/v4l2-subdev.c:460 call_s_stream+0x2df/0x350 drivers/media/v4l2-core/v4l2-subdev.c:460 Modules linked in: CPU: 0 UID: 0 PID: 5933 Comm: syz-executor330 Not tainted 6.13.0-rc2-syzkaller-00362-g2d8308bf5b67 #0 ... Call Trace: <TASK> vimc_streamer_pipeline_terminate+0x218/0x320 drivers/media/test-drivers/vimc/vimc-streamer.c:62 vimc_streamer_pipeline_init drivers/media/test-drivers/vimc/vimc-streamer.c:101 [inline]
vimc_streamer_s_stream+0x650/0x9a0 drivers/media/test-drivers/vimc/vimc-streamer.c:203 vimc_capture_start_streaming+0xa1/0x130 drivers/media/test-drivers/vimc/vimc-capture.c:256 vb2_start_streaming+0x15f/0x5a0 drivers/media/common/videobuf2/videobuf2-core.c:1789 vb2_core_streamon+0x2a7/0x450 drivers/media/common/videobuf2/videobuf2-core.c:2348 vb2_streamon drivers/media/common/videobuf2/videobuf2-v4l2.c:875 [inline]
vb2_ioctl_streamon+0xf4/0x170 drivers/media/common/videobuf2/videobuf2-v4l2.c:1118 __video_do_ioctl+0xaf0/0xf00 drivers/media/v4l2-core/v4l2-ioctl.c:3122 video_usercopy+0x4d2/0x1620 drivers/media/v4l2-core/v4l2-ioctl.c:3463 v4l2_ioctl+0x1ba/0x250 drivers/media/v4l2-core/v4l2-dev.c:366 vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:906 [inline]
__se_sys_ioctl fs/ioctl.c:892 [inline]
__x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f2b85c01b19 ...

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 03/16/2026

The vulnerability described in CVE-2025-22028 resides within the Linux kernel's media subsystem, specifically within the Video for Linux 2 (V4L2) framework. This issue affects the vimc (Virtual Media Controller) driver which is part of the test drivers for media devices. The vulnerability manifests as a warning triggered during the execution of the .s_stream() operation on video subdevices, particularly when dealing with stopped or unstarted entities. The problem is rooted in the improper handling of stream termination procedures where the system attempts to invoke the .s_stream() callback on entities that have not been properly initialized or started, leading to inconsistent behavior and potential system instability.

The technical flaw occurs in the vimc_streamer_pipeline_terminate() function where the code fails to properly check the operational state of subdevices before attempting to call their .s_stream() methods. This oversight creates a scenario where the call_s_stream() function in v4l2-subdev.c encounters an unexpected condition, resulting in a kernel warning and potentially destabilizing the media streaming pipeline. The issue is particularly concerning because it involves the core stream management logic that governs how video capture and streaming operations are initiated and terminated within the kernel's media framework. According to CWE-691, this represents an inadequate control flow management issue where the system does not properly validate the state of components before invoking operations on them, leading to potential violations of expected operational sequences.

The operational impact of this vulnerability extends to systems utilizing the virtual media controller framework for testing or development purposes, particularly those employing the vimc test driver for video streaming applications. When triggered, the warning indicates a breakdown in the proper sequence of stream management operations that could lead to resource leaks, inconsistent device states, or potential denial of service conditions. The vulnerability affects the reliability of media pipeline operations and could compromise the stability of applications that depend on proper stream termination handling. Systems using the affected kernel versions may experience intermittent failures during streaming operations, particularly when transitioning between different pipeline states or when multiple streaming operations are performed concurrently.

Mitigation strategies for this vulnerability focus on implementing proper state validation within the vimc driver's stream termination logic. The fix involves modifying the vimc_streamer_pipeline_terminate() function to ensure that .s_stream() operations are only invoked on entities that have been previously started and are in a valid operational state. This approach aligns with ATT&CK technique T1547.001 which addresses the manipulation of system processes and services to maintain persistence or stability. The recommended solution involves adding a simple conditional check that verifies the entity's operational status before proceeding with stream termination callbacks. System administrators should ensure that all affected kernel versions are updated with the patched implementation, and organizations using virtual media controllers for testing should verify their configurations to prevent improper stream state transitions that could trigger this warning condition.

Responsible

Linux

Reservation

12/29/2024

Disclosure

04/16/2025

Moderation

accepted

CPE

ready

EPSS

0.00165

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!