CVE-2025-71140
Description
In the Linux kernel, the following vulnerability has been resolved:
media: mediatek: vcodec: Use spinlock for context list protection lock
Previously a mutex was added to protect the encoder and decoder context lists from unexpected changes originating from the SCP IP block, causing the context pointer to go invalid, resulting in a NULL pointer dereference in the IPI handler.
Turns out on the MT8173, the VPU IPI handler is called from hard IRQ context. This causes a big warning from the scheduler. This was first reported downstream on the ChromeOS kernels, but is also reproducible on mainline using Fluster with the FFmpeg v4l2m2m decoders. Even though the actual capture format is not supported, the affected code paths are triggered.
Since this lock just protects the context list and operations on it are very fast, it should be OK to switch to a spinlock.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel, a mutex used to protect video context lists was unsafe on MT8173 because the IPI handler runs in hard IRQ context, requiring a spinlock to avoid scheduler warnings and potential NULL-pointer dereferences.
Root
Cause
The vulnerability in the Linux kernel's Mediatek video codec driver (mtk-vcodec) stems from incorrect locking of the encoder and decoder context lists. Earlier code added a mutex to protect these lists from unexpected changes by the SCP (System Control Processor) IP block, which could otherwise cause the context pointer to become invalid and lead to a NULL-pointer dereference in the IPI handler [2]. However, on the MT8173 platform, the VPU IPI handler runs in hard IRQ context, making the mutex unsafe because sleeping locks are forbidden in atomic context [1][3]. This mismatch triggers a scheduler warning and, under the right conditions, a NULL-pointer dereference crash [2].
Attack
Vector and Prerequisites
Exploitation requires local access to trigger the affected code paths through the video encoder or decoder interface. The issue was shown to be reproducible on mainline using Fluster with FFmpeg's v4l2m2m decoders, even if the actual capture format is not supported — the vulnerable code paths are still entered [1][3]. No special privileges beyond normal user access to the video device are needed, but the attack surface is limited to systems with the Mediatek video codec hardware and the mtk-vcodec driver loaded.
Impact
A successful exploitation results in a kernel NULL-pointer dereference, causing a denial-of-service (system crash) [2]. Because the bug is triggered in an atomic context (hard IRQ), the system cannot recover gracefully, and the machine may hang or panic. An attacker with local user access could repeatedly trigger the condition to disrupt service. There is no indication from the provided references that the bug can lead to privilege escalation or arbitrary code execution.
Mitigation
The fix, merged into the stable Linux kernel trees, replaces the mutex with a spinlock, which is appropriate for atomic context [1][2][3][4]. The commit notes that operations on the context list are very fast, so the spinlock's busy-waiting does not impose a significant performance penalty [2]. System administrators should apply the latest stable kernel update containing this commit. No CVSS score or KEV listing was provided with this CVE.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.