VYPR
← All advisories
Unrated severityNVD Advisory· Published Nov 12, 2025· Updated Apr 15, 2026

CVE-2025-40208

CVE-2025-40208

Description

In the Linux kernel, the following vulnerability has been resolved:

media: iris: fix module removal if firmware download failed

Fix remove if firmware failed to load: qcom-iris aa00000.video-codec: Direct firmware load for qcom/vpu/vpu33_p4.mbn failed with error -2 qcom-iris aa00000.video-codec: firmware download failed qcom-iris aa00000.video-codec: core init failed

then: $ echo aa00000.video-codec > /sys/bus/platform/drivers/qcom-iris/unbind

Triggers: genpd genpd:1:aa00000.video-codec: Runtime PM usage count underflow! ------------[ cut here ]------------ video_cc_mvs0_clk already disabled WARNING: drivers/clk/clk.c:1206 at clk_core_disable+0xa4/0xac, CPU#1: sh/542

pc : clk_core_disable+0xa4/0xac lr : clk_core_disable+0xa4/0xac

Call trace: clk_core_disable+0xa4/0xac (P) clk_disable+0x30/0x4c iris_disable_unprepare_clock+0x20/0x48 [qcom_iris] iris_vpu_power_off_hw+0x48/0x58 [qcom_iris] iris_vpu33_power_off_hardware+0x44/0x230 [qcom_iris] iris_vpu_power_off+0x34/0x84 [qcom_iris] iris_core_deinit+0x44/0xc8 [qcom_iris] iris_remove+0x20/0x48 [qcom_iris] platform_remove+0x20/0x30 device_remove+0x4c/0x80

---[ end trace 0000000000000000 ]--- ------------[ cut here ]------------ video_cc_mvs0_clk already unprepared WARNING: drivers/clk/clk.c:1065 at clk_core_unprepare+0xf0/0x110, CPU#2: sh/542

pc : clk_core_unprepare+0xf0/0x110 lr : clk_core_unprepare+0xf0/0x110

Call trace: clk_core_unprepare+0xf0/0x110 (P) clk_unprepare+0x2c/0x44 iris_disable_unprepare_clock+0x28/0x48 [qcom_iris] iris_vpu_power_off_hw+0x48/0x58 [qcom_iris] iris_vpu33_power_off_hardware+0x44/0x230 [qcom_iris] iris_vpu_power_off+0x34/0x84 [qcom_iris] iris_core_deinit+0x44/0xc8 [qcom_iris] iris_remove+0x20/0x48 [qcom_iris] platform_remove+0x20/0x30 device_remove+0x4c/0x80

---[ end trace 0000000000000000 ]--- genpd genpd:0:aa00000.video-codec: Runtime PM usage count underflow! ------------[ cut here ]------------ gcc_video_axi0_clk already disabled WARNING: drivers/clk/clk.c:1206 at clk_core_disable+0xa4/0xac, CPU#4: sh/542

pc : clk_core_disable+0xa4/0xac lr : clk_core_disable+0xa4/0xac

Call trace: clk_core_disable+0xa4/0xac (P) clk_disable+0x30/0x4c iris_disable_unprepare_clock+0x20/0x48 [qcom_iris] iris_vpu33_power_off_controller+0x17c/0x428 [qcom_iris] iris_vpu_power_off+0x48/0x84 [qcom_iris] iris_core_deinit+0x44/0xc8 [qcom_iris] iris_remove+0x20/0x48 [qcom_iris] platform_remove+0x20/0x30 device_remove+0x4c/0x80

------------[ cut here ]------------ gcc_video_axi0_clk already unprepared WARNING: drivers/clk/clk.c:1065 at clk_core_unprepare+0xf0/0x110, CPU#4: sh/542

pc : clk_core_unprepare+0xf0/0x110 lr : clk_core_unprepare+0xf0/0x110

Call trace: clk_core_unprepare+0xf0/0x110 (P) clk_unprepare+0x2c/0x44 iris_disable_unprepare_clock+0x28/0x48 [qcom_iris] iris_vpu33_power_off_controller+0x17c/0x428 [qcom_iris] iris_vpu_power_off+0x48/0x84 [qcom_iris] iris_core_deinit+0x44/0xc8 [qcom_iris] iris_remove+0x20/0x48 [qcom_iris] platform_remove+0x20/0x30 device_remove+0x4c/0x80

---[ end trace 0000000000000000 ]---

Skip deinit if initialization never succeeded.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In the Linux kernel's iris media driver, failure to load firmware during initialization can lead to clock mismanagement and runtime PM underflow errors when the device is later removed.

Root

Cause

The vulnerability occurs in the qcom-iris video codec driver when firmware download fails during initialization. If firmware_download() returns an error, the driver's core_init fails, but the subsequent remove path does not account for the partially initialized state. Specifically, iris_remove calls iris_core_deinit which attempts to disable and unprepare clocks that were never enabled or prepared, leading to warnings and runtime PM underflow.

Exploitation

Exploitation requires local access to the system and the ability to unbind the device from its driver, e.g., by writing to /sys/bus/platform/drivers/qcom-iris/unbind. The attack surface is limited to systems using the Qualcomm iris video accelerator hardware, and the attacker must first cause the firmware to fail to load (e.g., by removing the firmware file) before unbinding.

Impact

The bug results in kernel warnings such as "video_cc_mvs0_clk already disabled" and "Runtime PM usage count underflow!" These warnings indicate that the kernel's clock and power management state machine has become inconsistent. While the issue does not directly allow privilege escalation or code execution, it can lead to system instability or denial of service by corrupting power management state.

Mitigation

The fix ensures that iris_remove properly checks whether initialization completed before attempting to clean up resources. Patches have been applied to the stable kernel branches as commits [1] and [2]. Users should apply the latest kernel updates to their distribution.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Linux/Kernelinferred2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: <=6.13 (stable branch receiving fix)

Patches

2
7a0a77b936ff
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
fde38008fc4f
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.