CVE-2015-7884
Description
The vivid_fb_ioctl function in Linux kernel's vivid-osd driver leaks 16 uninitialized bytes of kernel memory to local users via the FBIOGET_VBLANK ioctl.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The vivid_fb_ioctl function in Linux kernel's vivid-osd driver leaks 16 uninitialized bytes of kernel memory to local users via the FBIOGET_VBLANK ioctl.
Vulnerability
The vivid_fb_ioctl function in drivers/media/platform/vivid/vivid-osd.c in the Linux kernel through version 4.3.3 fails to initialize the reserved member of the struct fb_vblank structure before copying it to userspace. This affects the Virtual Video Test Driver (vivid), which is typically used for testing and development. The bug was introduced by commit eda98796aff0d9bf41094b06811f5def3b4c333c. [1][2]
Exploitation
An attacker needs only local access to the system and the ability to open the /dev/video device associated with the vivid driver. By issuing the FBIOGET_VBLANK ioctl on the device, the vivid_fb_ioctl function copies the uninitialized structure to user space without zeroing out the reserved bytes. No special privileges or race conditions are required beyond local access to the system. [1][2]
Impact
A successful exploit allows a local user to read 16 uninitialized bytes from kernel heap memory. This results in an information disclosure vulnerability (CIA impact: confidentiality). The leaked data could contain sensitive kernel information, though the content is unpredictable and depends on heap state. The vulnerability is considered low severity (CVSS 2.3) because it requires local access and only leaks a small amount of memory. [1][2]
Mitigation
The issue was fixed in Linux kernel version 4.4-rc1 with commit eda98796aff0d9bf41094b06811f5def3b4c333c, which correctly initializes struct fb_vblank before use. Ubuntu addressed it in USN-2843-1 (December 2015) for the Wily 15.10 kernel and USN-2843-2 for the Wily HWE kernel. Red Hat closed the bug as NOTABUG, likely because the vivid driver is not intended for production use. Users who do not need the vivid driver can blacklist it or ensure their kernel is updated to a patched version. [1][3][4]
- 1274726 – (CVE-2015-7884) CVE-2015-7884 kernel: media/vivid-osd: information leak in ioctl
- security - Re: CVE Request: Linux Kernel ioctl infoleaks on vivid-osd and dgnc
- USN-2843-1: Linux kernel vulnerabilities | Ubuntu security notices | Ubuntu
- USN-2843-2: Linux kernel (Wily HWE) vulnerabilities | Ubuntu security notices | Ubuntu
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: <=4.3.3
Patches
4eda98796aff0[media] media/vivid-osd: fix info leak in ioctl
1 file changed · +1 −0
drivers/media/platform/vivid/vivid-osd.c+1 −0 modified@@ -85,6 +85,7 @@ static int vivid_fb_ioctl(struct fb_info *info, unsigned cmd, unsigned long arg) case FBIOGET_VBLANK: { struct fb_vblank vblank; + memset(&vblank, 0, sizeof(vblank)); vblank.flags = FB_VBLANK_HAVE_COUNT | FB_VBLANK_HAVE_VCOUNT | FB_VBLANK_HAVE_VSYNC; vblank.count = 0;
eda98796aff04b6184336ebbeda98796aff0Vulnerability mechanics
Root cause
"The vivid_fb_ioctl function fails to initialize a structure member, leading to information disclosure."
Attack vector
Local users with elevated privileges can trigger this vulnerability by calling the vivid_fb_ioctl function with a crafted application. The function is responsible for handling ioctl commands, and specifically, the FBIOGET_VBLANK case is affected. By not properly initializing the `fb_vblank` structure, uninitialized memory containing sensitive kernel data can be exposed.
Affected code
The vulnerability resides in the `vivid_fb_ioctl` function, located in the file `drivers/media/platform/vivid/vivid-osd.c`. Specifically, the code path handling the `FBIOGET_VBLANK` ioctl command is affected.
What the fix does
The patch introduces a `memset(0)` call before filling the `fb_vblank` structure within the `vivid_fb_ioctl` function [patch_id=4376390]. This ensures that all members of the structure, including the 16 reserved bytes, are initialized to zero. By zeroing out the structure, any previously uninitialized memory is cleared, preventing the disclosure of sensitive information from kernel memory.
Preconditions
- authLocal users with elevated privileges are required.
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
12- git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/nvd
- lists.opensuse.org/opensuse-security-announce/2016-04/msg00015.htmlnvd
- www.openwall.com/lists/oss-security/2015/10/21/8nvd
- www.securityfocus.com/bid/77317nvd
- www.securitytracker.com/id/1034893nvd
- www.ubuntu.com/usn/USN-2842-1nvd
- www.ubuntu.com/usn/USN-2842-2nvd
- www.ubuntu.com/usn/USN-2843-1nvd
- www.ubuntu.com/usn/USN-2843-2nvd
- www.ubuntu.com/usn/USN-2843-3nvd
- bugzilla.redhat.com/show_bug.cginvd
- github.com/torvalds/linux/commit/eda98796aff0d9bf41094b06811f5def3b4c333cnvd
News mentions
0No linked articles in our index yet.