CVE-2025-68808
Description
In the Linux kernel, the following vulnerability has been resolved:
media: vidtv: initialize local pointers upon transfer of memory ownership
vidtv_channel_si_init() creates a temporary list (program, service, event) and ownership of the memory itself is transferred to the PAT/SDT/EIT tables through vidtv_psi_pat_program_assign(), vidtv_psi_sdt_service_assign(), vidtv_psi_eit_event_assign().
The problem here is that the local pointer where the memory ownership transfer was completed is not initialized to NULL. This causes the vidtv_psi_pmt_create_sec_for_each_pat_entry() function to fail, and in the flow that jumps to free_eit, the memory that was freed by vidtv_psi_*_table_destroy() can be accessed again by vidtv_psi_*_event_destroy() due to the uninitialized local pointer, so it is freed once again.
Therefore, to prevent use-after-free and double-free vulnerability, local pointers must be initialized to NULL when transferring memory ownership.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel's vidtv driver, uninitialized local pointers after memory ownership transfer cause use-after-free and double-free vulnerabilities.
Vulnerability
Overview
In the Linux kernel's media subsystem, the vidtv driver's vidtv_channel_si_init() function creates temporary lists (program, service, event) and transfers memory ownership to PAT, SDT, and EIT tables via vidtv_psi_pat_program_assign(), vidtv_psi_sdt_service_assign(), and vidtv_psi_eit_event_assign(). However, after the transfer, the local pointers are not set to NULL, leading to a double-free vulnerability when error handling paths call both vidtv_psi_*_table_destroy() and vidtv_psi_*_event_destroy() on the same memory. The uninitialized pointer can still reference freed memory, resulting in a use-after-free scenario [1][2][3].
Exploitation
Conditions
An attacker would need to trigger an error condition in the vidtv driver's initialization flow, specifically within vidtv_psi_pmt_create_sec_for_each_pat_entry(), that causes the code to jump to the free_eit label. At that point, the memory freed by vidtv_psi_*_table_destroy() may be accessed again by vidtv_psi_*_event_destroy() due to the stale local pointer. No special privileges or network access are required beyond the ability to interact with the driver through the V4L2 media API, but exploitation depends on inducing a specific error path during channel setup.
Impact
Successful exploitation can lead to memory corruption, including a double-free condition that can be leveraged for privilege escalation or denial of service. The use-after-free aspect could allow an attacker to manipulate kernel memory, potentially resulting in arbitrary code execution in the kernel context, though the primary risk is system instability or local privilege escalation.
Mitigation
Status
The fix for this vulnerability has been applied to the Linux kernel stable tree in commits a69c7fd603bf5ad93177394fbd9711922ee81032, 12ab6ebb37789b84073e83e4d9b14a5e0d133323, and 3caa9f9b4e (references [1], [2], [3] respectively). Users should update to the latest kernel version that includes these patches. No workaround is available beyond applying the security update.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- git.kernel.org/stable/c/12ab6ebb37789b84073e83e4d9b14a5e0d133323nvd
- git.kernel.org/stable/c/30f4d4e5224a9e44e9ceb3956489462319d804cenvd
- git.kernel.org/stable/c/3caa18d35f1dabe85a3dd31bc387f391ac9f9b4envd
- git.kernel.org/stable/c/98aabfe2d79f74613abc2b0b1cef08f97eaf5322nvd
- git.kernel.org/stable/c/a69c7fd603bf5ad93177394fbd9711922ee81032nvd
- git.kernel.org/stable/c/c342e294dac4988c8ada759b2f057246e48c5108nvd
- git.kernel.org/stable/c/fb9bd6d8d314b748e946ed6555eb4a956ee8c4d8nvd
News mentions
0No linked articles in our index yet.