VYPR
← All advisories
Unrated severityNVD Advisory· Published Nov 12, 2025· Updated Apr 15, 2026

CVE-2025-40165

CVE-2025-40165

Description

In the Linux kernel, the following vulnerability has been resolved:

media: nxp: imx8-isi: m2m: Fix streaming cleanup on release

If streamon/streamoff calls are imbalanced, such as when exiting an application with Ctrl+C when streaming, the m2m usage_count will never reach zero and the ISI channel won't be freed. Besides from that, if the input line width is more than 2K, it will trigger a WARN_ON():

[ 59.222120] ------------[ cut here ]------------ [ 59.226758] WARNING: drivers/media/platform/nxp/imx8-isi/imx8-isi-hw.c:631 at mxc_isi_channel_chain+0xa4/0x120, CPU#4: v4l2-ctl/654 [ 59.238569] Modules linked in: ap1302 [ 59.242231] CPU: 4 UID: 0 PID: 654 Comm: v4l2-ctl Not tainted 6.16.0-rc4-next-20250704-06511-gff0e002d480a-dirty #258 PREEMPT [ 59.253597] Hardware name: NXP i.MX95 15X15 board (DT) [ 59.258720] pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 59.265669] pc : mxc_isi_channel_chain+0xa4/0x120 [ 59.270358] lr : mxc_isi_channel_chain+0x44/0x120 [ 59.275047] sp : ffff8000848c3b40 [ 59.278348] x29: ffff8000848c3b40 x28: ffff0000859b4c98 x27: ffff800081939f00 [ 59.285472] x26: 000000000000000a x25: ffff0000859b4cb8 x24: 0000000000000001 [ 59.292597] x23: ffff0000816f4760 x22: ffff0000816f4258 x21: ffff000084ceb780 [ 59.299720] x20: ffff000084342ff8 x19: ffff000084340000 x18: 0000000000000000 [ 59.306845] x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffffdb369e1c [ 59.313969] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 [ 59.321093] x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 [ 59.328217] x8 : ffff8000848c3d48 x7 : ffff800081930b30 x6 : ffff800081930b30 [ 59.335340] x5 : ffff0000859b6000 x4 : ffff80008193ae80 x3 : ffff800081022420 [ 59.342464] x2 : ffff0000852f6900 x1 : 0000000000000001 x0 : ffff000084341000 [ 59.349590] Call trace: [ 59.352025] mxc_isi_channel_chain+0xa4/0x120 (P) [ 59.356722] mxc_isi_m2m_streamon+0x160/0x20c [ 59.361072] v4l_streamon+0x24/0x30 [ 59.364556] __video_do_ioctl+0x40c/0x4a0 [ 59.368560] video_usercopy+0x2bc/0x690 [ 59.372382] video_ioctl2+0x18/0x24 [ 59.375857] v4l2_ioctl+0x40/0x60 [ 59.379168] __arm64_sys_ioctl+0xac/0x104 [ 59.383172] invoke_syscall+0x48/0x104 [ 59.386916] el0_svc_common.constprop.0+0xc0/0xe0 [ 59.391613] do_el0_svc+0x1c/0x28 [ 59.394915] el0_svc+0x34/0xf4 [ 59.397966] el0t_64_sync_handler+0xa0/0xe4 [ 59.402143] el0t_64_sync+0x198/0x19c [ 59.405801] ---[ end trace 0000000000000000 ]---

Address this issue by moving the streaming preparation and cleanup to the vb2 .prepare_streaming() and .unprepare_streaming() operations. This also simplifies the driver by allowing direct usage of the v4l2_m2m_ioctl_streamon() and v4l2_m2m_ioctl_streamoff() helpers.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In the Linux kernel's imx8-isi driver, imbalanced streamon/streamon/streamoff calls can prevent ISI channel cleanup and trigger a WARN_ON crash.

Vulnerability

CVE-2025-40165 is a vulnerability in the Linux kernel's NXP i.MX8 Image Sensor Interface (ISI) driver, specifically in the memory-to-memory (m2m) streaming path. The root cause is a missing cleanup when streamon/streamoff calls are imbalanced, such as when a user exits an application (e.g., with Ctrl+C) while streaming is active. This leaves the m2m usage_count non-zero, preventing the ISI channel from being freed. Additionally, if the input line width exceeds 2K, the imbalance triggers a kernel WARN_ON() in mxc_isi_channel_chain [1][2].

Exploitation

An attacker with local access to the system can trigger this vulnerability by running a V4L2 application that initiates streaming on the imx8-isi device and then abruptly terminating it (e.g., via SIGINT) while streaming is active. No special privileges beyond the ability to open the video device are required; the attack surface is the V4L4L2 ioctl interface exposed to user space [1][2].

Impact

Successful exploitation causes a kernel WARN_ON() splat, which may lead to a denial of service (system instability or crash). The warning message includes a call trace shows the issue occurs in mxc_isi_m2m_streamon and v4l_streamon functions. While the WARN_ON itself does not directly corrupt memory, the underlying resource leak (unreleased ISI channel could lead to resource exhaustion or unpredictable behavior in subsequent streaming attempts [1][2].

Mitigation

The fix has been applied to the Linux kernel stable tree in commits b0d438c7b433 and e8b5f4d80775. Users should update their kernel to include these patches. No workaround is available other than ensuring proper application shutdown or applying the kernel update [1][2].

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Linux/Kernelinferred2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)

Patches

4
50c721be2cff
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
e8b5f4d80775
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
b0d438c7b433
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
178aa3360220
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.