CVE-2025-22096 in Linux
Summary
by MITRE • 04/16/2025
In the Linux kernel, the following vulnerability has been resolved:
drm/msm/gem: Fix error code msm_parse_deps()
The SUBMIT_ERROR() macro turns the error code negative. This extra '-' operation turns it back to positive EINVAL again. The error code is passed to ERR_PTR() and since positive values are not an IS_ERR() it eventually will lead to an oops. Delete the '-'.
Patchwork: https://patchwork.freedesktop.org/patch/637625/
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 02/15/2026
The vulnerability identified as CVE-2025-22096 resides within the Linux kernel's graphics subsystem, specifically in the drm/msm/gem component responsible for managing graphics memory operations. This issue represents a critical error handling flaw that can lead to system instability and potential privilege escalation. The vulnerability manifests in the msm_parse_deps() function where improper error code handling creates a condition that can result in kernel oops or system crashes. The problem occurs during the processing of graphics command submissions where the kernel fails to properly manage error codes returned by the SUBMIT_ERROR() macro.
The technical flaw involves a fundamental error in the kernel's error propagation mechanism. When the SUBMIT_ERROR() macro is invoked, it transforms a positive error code into a negative value through its internal implementation. However, the subsequent operation in msm_parse_deps() applies an additional unary minus operator to this already-negative value, effectively converting it back to a positive error code. This positive value is then passed to the ERR_PTR() macro which expects negative error codes to properly signal error conditions. The ERR_PTR() macro treats positive values as valid pointers rather than error indicators, causing the IS_ERR() check to fail and ultimately leading to a kernel oops when the system attempts to dereference the invalid pointer.
This vulnerability directly relates to CWE-755 Improper Handling of Exceptional Conditions and CWE-248 Uncaught Exception, as it demonstrates improper error handling within kernel space operations. The flaw follows patterns commonly seen in kernel security issues where error code manipulation introduces unexpected behavior that can be exploited to cause system instability. The operational impact of this vulnerability extends beyond simple system crashes, as it can potentially be leveraged by malicious actors to execute arbitrary code or escalate privileges within the graphics subsystem. The vulnerability affects systems running Linux kernels with the msm graphics driver, particularly those utilizing Qualcomm Snapdragon-based hardware where this driver is commonly deployed.
The mitigation strategy for CVE-2025-22096 involves applying the official kernel patch that removes the erroneous unary minus operation from the msm_parse_deps() function. This patch ensures that error codes maintain their proper negative value throughout the error handling chain, allowing ERR_PTR() and IS_ERR() macros to function correctly. System administrators should prioritize updating their kernel versions to include this fix, particularly in environments where graphics-intensive applications are deployed. The vulnerability represents a classic example of how seemingly minor code modifications can introduce critical security flaws in kernel space, emphasizing the importance of thorough code review and testing of error handling paths. Organizations should also implement monitoring for kernel oops messages and system instability indicators that may suggest exploitation attempts. The fix aligns with ATT&CK technique T1068 Exploitation for Privilege Escalation by addressing a kernel-level vulnerability that could potentially be leveraged for unauthorized system access.