CVE-2025-39709 in Linuxinfo

Summary

by MITRE • 09/05/2025

In the Linux kernel, the following vulnerability has been resolved:

media: venus: protect against spurious interrupts during probe

Make sure the interrupt handler is initialized before the interrupt is registered.

If the IRQ is registered before hfi_create(), it's possible that an interrupt fires before the handler setup is complete, leading to a NULL dereference.

This error condition has been observed during system boot on Rb3Gen2.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 02/09/2026

The vulnerability identified as CVE-2025-39709 represents a critical race condition in the Linux kernel's venus media driver implementation that can lead to system instability and potential denial of service during hardware initialization. This issue specifically affects the Qualcomm Venus video codec driver used in mobile and embedded systems, where the driver must properly manage interrupt handling during the device probe sequence to prevent premature interrupt processing before the handler is fully initialized. The vulnerability occurs within the media subsystem of the Linux kernel, which is responsible for handling multimedia device drivers and their associated interrupt management mechanisms.

The technical flaw stems from an improper ordering of initialization steps within the venus driver's probe function where interrupt registration occurs before the interrupt handler is properly set up. According to CWE-362, this constitutes a race condition vulnerability where concurrent operations can lead to unpredictable behavior, and specifically aligns with CWE-476 which addresses null pointer dereferences that can occur when pointers are not properly initialized before use. The root cause is that when the hardware interrupt line is registered via request_irq() or similar functions before the handler function is properly installed through hfi_create(), any spurious interrupts that occur during this window can trigger a NULL pointer dereference because the interrupt handler function pointer has not yet been assigned to point to a valid handler routine.

The operational impact of this vulnerability manifests as system crashes or boot failures, particularly on devices running the Rb3Gen2 platform where this issue has been specifically observed during system boot processes. During the boot sequence, the kernel attempts to initialize the venus hardware component, but the interrupt handler setup race condition can cause the system to immediately crash upon receiving the first interrupt signal before the driver can properly establish its interrupt handling context. This vulnerability directly impacts the ATT&CK technique T1490 which involves system destruction and denial of service through manipulation of system resources, and also relates to T1070 which covers indicator removal and system modification through kernel-level attacks. The issue affects systems that rely on the venus driver for video processing capabilities, potentially rendering devices unusable during boot cycles and requiring system recovery procedures.

Mitigation strategies for this vulnerability involve ensuring proper initialization sequencing where interrupt registration occurs only after the interrupt handler has been fully established and validated. The fix requires modifying the driver's probe function to guarantee that hfi_create() is called before request_irq() or equivalent interrupt registration functions, thereby preventing the race condition window where spurious interrupts could occur. System administrators should ensure that kernel updates containing the fix are applied to all affected systems, particularly those running on Rb3Gen2 platforms or other devices using the venus media driver. Additionally, monitoring systems should be implemented to detect potential interrupt handling anomalies during boot processes, and hardware vendors should validate their device initialization sequences to prevent similar race conditions in other kernel subsystems. The fix aligns with security best practices outlined in the Linux kernel security documentation and should be prioritized as a critical update for all systems using the affected media driver components.

Responsible

Linux

Reservation

04/16/2025

Disclosure

09/05/2025

Moderation

accepted

CPE

ready

EPSS

0.00149

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!