| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2026011310-CVE-2025-68808-4cb9@gregkh> Date: Tue, 13 Jan 2026 16:29:34 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-68808: media: vidtv: initialize local pointers upon transfer of memory ownership From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: media: vidtv: initialize local pointers upon transfer of memory ownership vidtv_channel_si_init() creates a temporary list (program, service, event) and ownership of the memory itself is transferred to the PAT/SDT/EIT tables through vidtv_psi_pat_program_assign(), vidtv_psi_sdt_service_assign(), vidtv_psi_eit_event_assign(). The problem here is that the local pointer where the memory ownership transfer was completed is not initialized to NULL. This causes the vidtv_psi_pmt_create_sec_for_each_pat_entry() function to fail, and in the flow that jumps to free_eit, the memory that was freed by vidtv_psi_*_table_destroy() can be accessed again by vidtv_psi_*_event_destroy() due to the uninitialized local pointer, so it is freed once again. Therefore, to prevent use-after-free and double-free vulnerability, local pointers must be initialized to NULL when transferring memory ownership. The Linux kernel CVE team has assigned CVE-2025-68808 to this issue. Affected and fixed versions =========================== Issue introduced in 5.10 with commit 3be8037960bccd13052cfdeba8805ad785041d70 and fixed in 6.1.160 with commit 3caa18d35f1dabe85a3dd31bc387f391ac9f9b4e Issue introduced in 5.10 with commit 3be8037960bccd13052cfdeba8805ad785041d70 and fixed in 6.6.120 with commit fb9bd6d8d314b748e946ed6555eb4a956ee8c4d8 Issue introduced in 5.10 with commit 3be8037960bccd13052cfdeba8805ad785041d70 and fixed in 6.12.64 with commit a69c7fd603bf5ad93177394fbd9711922ee81032 Issue introduced in 5.10 with commit 3be8037960bccd13052cfdeba8805ad785041d70 and fixed in 6.18.3 with commit 30f4d4e5224a9e44e9ceb3956489462319d804ce Issue introduced in 5.10 with commit 3be8037960bccd13052cfdeba8805ad785041d70 and fixed in 6.19-rc1 with commit 98aabfe2d79f74613abc2b0b1cef08f97eaf5322 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-68808 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/media/test-drivers/vidtv/vidtv_channel.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/3caa18d35f1dabe85a3dd31bc387f391ac9f9b4e https://git.kernel.org/stable/c/fb9bd6d8d314b748e946ed6555eb4a956ee8c4d8 https://git.kernel.org/stable/c/a69c7fd603bf5ad93177394fbd9711922ee81032 https://git.kernel.org/stable/c/30f4d4e5224a9e44e9ceb3956489462319d804ce https://git.kernel.org/stable/c/98aabfe2d79f74613abc2b0b1cef08f97eaf5322
Powered by blists - more mailing lists