Linux Kernel Radeon DRM Uninitialized Variable Vulnerability in VCE Command Stream Parsing

Vulnerability

A vulnerability exists in the Linux kernel's Radeon Direct Rendering Manager (DRM) component, specifically within the video coding engine (VCE) command stream parsing function. The issue arises when the command stream, sent from userspace via an ioctl() call, is poorly crafted. In such cases, the function radeon_vce_cs_parse() may call radeon_vce_cs_reloc() with an uninitialized size argument. This occurs because the 'size' variable references 'tmp' before it has been assigned a value. The vulnerability has been addressed by initializing 'tmp' to zero, ensuring that radeon_vce_cs_reloc() can detect early errors in these scenarios.

Impact

Exploitation of this vulnerability could lead to undefined behavior in the kernel, potentially allowing for memory corruption or other unintended consequences.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

9.0

impact

2.5

exploitability

4.0

remediation

0.0

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

9.0

impact

2.5

exploitability

4.0

remediation

0.0

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Linux Kernel Radeon DRM Uninitialized Variable Vulnerability in VCE Command Stream Parsing

Vulnerability

Impact

Affected Products

Linux kernel

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating