CVE-2025-23158

In the Linux kernel, the following vulnerability has been resolved:

media: venus: hfi: add check to handle incorrect queue size

qsize represents size of shared queued between driver and video firmware. Firmware can modify this value to an invalid large value. In such situation, empty_space will be bigger than the space actually available. Since new_wr_idx is not checked, so the following code will result in an OOB write. ... qsize = qhdr->q_size

if (wr_idx >= rd_idx) empty_space = qsize - (wr_idx - rd_idx) .... if (new_wr_idx < qsize) { memcpy(wr_ptr, packet, dwords << 2) --> OOB write

Add check to ensure qsize is within the allocated size while reading and writing packets into the queue.

Published: May 1, 2025
Updated: Nov 6, 2025
CVE: CVE-2025-23158
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.8
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWEs:

CWE-787

Affected Software
References

Software	From	Fixed in
linux / linux_kernel	4.13	5.4.293
linux / linux_kernel	5.5	5.10.237
linux / linux_kernel	5.11	5.15.181
linux / linux_kernel	5.16	6.1.135
linux / linux_kernel	6.2	6.6.88
linux / linux_kernel	6.7	6.12.24
linux / linux_kernel	6.13	6.13.12
linux / linux_kernel	6.14	6.14.3
debian / debian_linux	11.0	11.0.x

Vulnerability Database

309,540

CVE-2025-23158

Deep Security Visibility Without the Complexity