CVE-2025-21996

Vulnerability Description

In the Linux kernel, the following vulnerability has been resolved: drm/radeon: fix uninitialized size issue in radeon_vce_cs_parse() On the off chance that command stream passed from userspace via ioctl() call to radeon_vce_cs_parse() is weirdly crafted and first command to execute is to encode (case 0x03000001), the function in question will attempt to call radeon_vce_cs_reloc() with size argument that has not been properly initialized. Specifically, 'size' will point to 'tmp' variable before the latter had a chance to be assigned any value. Play it safe and init 'tmp' with 0, thus ensuring that radeon_vce_cs_reloc() will catch an early error in cases like these. Found by Linux Verification Center (linuxtesting.org) with static analysis tool SVACE. (cherry picked from commit 2d52de55f9ee7aaee0e09ac443f77855989c6b68)

CVSS Score

Affected Products

Related Weaknesses (CWE)

References

• https://git.kernel.org/stable/c/0effb378ebce52b897f85cd7f828854b8c7cb636Patch
• https://git.kernel.org/stable/c/3ce08215cad55c10a6eeeb33d3583b6cfffe3ab8Patch
• https://git.kernel.org/stable/c/5b4d9d20fd455a97920cf158dd19163b879cf65dPatch
• https://git.kernel.org/stable/c/78b07dada3f02f77762d0755a96d35f53b02be69Patch
• https://git.kernel.org/stable/c/9b2da9c673a0da1359a2151f7ce773e2f77d71a9Patch
• https://git.kernel.org/stable/c/dd1801aa01bba1760357f2a641346ae149686713Patch
• https://git.kernel.org/stable/c/dd8689b52a24807c2d5ce0a17cb26dc87f75235cPatch
• https://git.kernel.org/stable/c/f5e049028124f755283f2c07e7a3708361ed1dc8Patch
• https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html
• https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html