{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-22027", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-12-29T08:45:45.807Z", "datePublished": "2025-04-16T14:11:48.210Z", "dateUpdated": "2025-05-02T06:15:39.583Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-02T06:15:39.583Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: streamzap: fix race between device disconnection and urb callback\n\nSyzkaller has reported a general protection fault at function\nir_raw_event_store_with_filter(). This crash is caused by a NULL pointer\ndereference of dev->raw pointer, even though it is checked for NULL in\nthe same function, which means there is a race condition. It occurs due\nto the incorrect order of actions in the streamzap_disconnect() function:\nrc_unregister_device() is called before usb_kill_urb(). The dev->raw\npointer is freed and set to NULL in rc_unregister_device(), and only\nafter that usb_kill_urb() waits for in-progress requests to finish.\n\nIf rc_unregister_device() is called while streamzap_callback() handler is\nnot finished, this can lead to accessing freed resources. Thus\nrc_unregister_device() should be called after usb_kill_urb().\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/media/rc/streamzap.c"], "versions": [{"version": "8e9e60640067858e8036d4d43bbf725c60613359", "lessThan": "e11652a6514ec805440c1bb3739e6c6236fffcc7", "status": "affected", "versionType": "git"}, {"version": "8e9e60640067858e8036d4d43bbf725c60613359", "lessThan": "f1d518c0bad01abe83c2df880274cb6a39f4a457", "status": "affected", "versionType": "git"}, {"version": "8e9e60640067858e8036d4d43bbf725c60613359", "lessThan": "30ef7cfee752ca318d5902cb67b60d9797ccd378", "status": "affected", "versionType": "git"}, {"version": "8e9e60640067858e8036d4d43bbf725c60613359", "lessThan": "15483afb930fc2f883702dc96f80efbe4055235e", "status": "affected", "versionType": "git"}, {"version": "8e9e60640067858e8036d4d43bbf725c60613359", "lessThan": "adf0ddb914c9e5b3e50da4c97959e82de2df75c3", "status": "affected", "versionType": "git"}, {"version": "8e9e60640067858e8036d4d43bbf725c60613359", "lessThan": "4db62b60af2ccdea6ac5452fd20e29587ed85f57", "status": "affected", "versionType": "git"}, {"version": "8e9e60640067858e8036d4d43bbf725c60613359", "lessThan": "8760da4b9d44c36b93b6e4cf401ec7fe520015bd", "status": "affected", "versionType": "git"}, {"version": "8e9e60640067858e8036d4d43bbf725c60613359", "lessThan": "f656cfbc7a293a039d6a0c7100e1c846845148c1", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/media/rc/streamzap.c"], "versions": [{"version": "2.6.36", "status": "affected"}, {"version": "0", "lessThan": "2.6.36", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.237", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.181", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.134", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.87", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.23", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.13.11", "lessThanOrEqual": "6.13.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.14.2", "lessThanOrEqual": "6.14.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.15-rc1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/e11652a6514ec805440c1bb3739e6c6236fffcc7"}, {"url": "https://git.kernel.org/stable/c/f1d518c0bad01abe83c2df880274cb6a39f4a457"}, {"url": "https://git.kernel.org/stable/c/30ef7cfee752ca318d5902cb67b60d9797ccd378"}, {"url": "https://git.kernel.org/stable/c/15483afb930fc2f883702dc96f80efbe4055235e"}, {"url": "https://git.kernel.org/stable/c/adf0ddb914c9e5b3e50da4c97959e82de2df75c3"}, {"url": "https://git.kernel.org/stable/c/4db62b60af2ccdea6ac5452fd20e29587ed85f57"}, {"url": "https://git.kernel.org/stable/c/8760da4b9d44c36b93b6e4cf401ec7fe520015bd"}, {"url": "https://git.kernel.org/stable/c/f656cfbc7a293a039d6a0c7100e1c846845148c1"}], "title": "media: streamzap: fix race between device disconnection and urb callback", "x_generator": {"engine": "bippy-1.1.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: streamzap: fix race between device disconnection and urb callback\n\nSyzkaller has reported a general protection fault at function\nir_raw_event_store_with_filter(). This crash is caused by a NULL pointer\ndereference of dev->raw pointer, even though it is checked for NULL in\nthe same function, which means there is a race condition. It occurs due\nto the incorrect order of actions in the streamzap_disconnect() function:\nrc_unregister_device() is called before usb_kill_urb(). The dev->raw\npointer is freed and set to NULL in rc_unregister_device(), and only\nafter that usb_kill_urb() waits for in-progress requests to finish.\n\nIf rc_unregister_device() is called while streamzap_callback() handler is\nnot finished, this can lead to accessing freed resources. Thus\nrc_unregister_device() should be called after usb_kill_urb().\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: media: streamzap: fix race between device disconnection and urb callback Syzkaller ha informado de un fallo de protecci\u00f3n general en la funci\u00f3n ir_raw_event_store_with_filter(). Este fallo se debe a una desreferencia del puntero NULL del puntero dev->raw, aunque se comprueba si es NULL en la misma funci\u00f3n, lo que significa que hay una condici\u00f3n de ejecuci\u00f3n. Se produce debido al orden incorrecto de acciones en la funci\u00f3n streamzap_disconnect(): se llama a rc_unregister_device() antes de usb_kill_urb(). El puntero dev->raw se libera y se establece en NULL en rc_unregister_device(), y solo despu\u00e9s de eso, usb_kill_urb() espera a que finalicen las solicitudes en curso. Si se llama a rc_unregister_device() mientras el controlador streamzap_callback() no ha finalizado, esto puede provocar el acceso a los recursos liberados. Por lo tanto, rc_unregister_device() debe llamarse despu\u00e9s de usb_kill_urb(). Encontrado por el Centro de Verificaci\u00f3n de Linux (linuxtesting.org) con Syzkaller."}], "id": "CVE-2025-22027", "lastModified": "2025-05-02T07:15:59.253", "metrics": {}, "published": "2025-04-16T15:15:55.320", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/15483afb930fc2f883702dc96f80efbe4055235e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/30ef7cfee752ca318d5902cb67b60d9797ccd378"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/4db62b60af2ccdea6ac5452fd20e29587ed85f57"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/8760da4b9d44c36b93b6e4cf401ec7fe520015bd"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/adf0ddb914c9e5b3e50da4c97959e82de2df75c3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e11652a6514ec805440c1bb3739e6c6236fffcc7"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f1d518c0bad01abe83c2df880274cb6a39f4a457"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f656cfbc7a293a039d6a0c7100e1c846845148c1"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Undergoing Analysis"}

{"bugzilla": {"description": "kernel: media: streamzap: fix race between device disconnection and urb callback", "id": "2360299", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2360299"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.7", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-362", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nmedia: streamzap: fix race between device disconnection and urb callback\nSyzkaller has reported a general protection fault at function\nir_raw_event_store_with_filter(). This crash is caused by a NULL pointer\ndereference of dev->raw pointer, even though it is checked for NULL in\nthe same function, which means there is a race condition. It occurs due\nto the incorrect order of actions in the streamzap_disconnect() function:\nrc_unregister_device() is called before usb_kill_urb(). The dev->raw\npointer is freed and set to NULL in rc_unregister_device(), and only\nafter that usb_kill_urb() waits for in-progress requests to finish.\nIf rc_unregister_device() is called while streamzap_callback() handler is\nnot finished, this can lead to accessing freed resources. Thus\nrc_unregister_device() should be called after usb_kill_urb().\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller."], "name": "CVE-2025-22027", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-04-16T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-22027\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-22027\nhttps://lore.kernel.org/linux-cve-announce/2025041655-CVE-2025-22027-d850@gregkh/T"], "threat_severity": "Low"}