CVE-2025-40302

Vulnerability

Description

The vulnerability resides in the Linux kernel's videobuf2 subsystem, specifically in the vb2_ioctl_remove_bufs() function [1]. This function manipulates the internal buffer list of a video buffer queue. When legacy fileio (file I/O) access mode is active, these internal pointers are also used by the read/write operations. Calling remove_bufs in this state can overwrite those pointers, corrupting the queue's internal state and leading to undefined behavior, including potential memory corruption [1].

Exploitation

Conditions

An attacker requires local access to the system and the ability to invoke the VIDIOC_REMOVE_BUFS ioctl on a video device node while a file descriptor is using the legacy fileio mode for that same device. The attack does not require authentication beyond having permission to open the device file and issue ioctl calls. The prerequisite is that the fileio mode must be active at the time of the ioctl [1].

Impact

If exploited, an attacker could cause the kernel to operate on corrupted queue state, potentially leading to memory corruption. This could result in a system crash (denial of service) or, if carefully controlled, possible arbitrary code execution in kernel context. However, the primary risk from the patch description is a kernel panic due to corrupted pointers [1].

Mitigation

The fix is included in the Linux kernel commit "27afd6e066cfd80ddbe22a4a11b99174ac89cced" [1]. The commit adds a check to vb2_ioctl_remove_bufs() that returns an error (-EBUSY) if legacy fileio is active for the queue, preventing the unsafe operation. Users should apply kernel updates from their distribution that include this commit. No workaround other than avoiding the use of legacy fileio alongside remove_bufs is available [1].