{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-10T14:17:16.364","vulnerabilities":[{"cve":{"id":"CVE-2025-38558","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-08-19T17:15:32.100","lastModified":"2025-11-28T14:42:30.450","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: uvc: Initialize frame-based format color matching descriptor\n\nFix NULL pointer crash in uvcg_framebased_make due to uninitialized color\nmatching descriptor for frame-based format which was added in\ncommit f5e7bdd34aca (\"usb: gadget: uvc: Allow creating new color matching\ndescriptors\") that added handling for uncompressed and mjpeg format.\n\nCrash is seen when userspace configuration (via configfs) does not\nexplicitly define the color matching descriptor. If color_matching is not\nfound, config_group_find_item() returns NULL. The code then jumps to\nout_put_cm, where it calls config_item_put(color_matching);. If\ncolor_matching is NULL, this will dereference a null pointer, leading to a\ncrash.\n\n[    2.746440] Unable to handle kernel NULL pointer dereference at virtual address 000000000000008c\n[    2.756273] Mem abort info:\n[    2.760080]   ESR = 0x0000000096000005\n[    2.764872]   EC = 0x25: DABT (current EL), IL = 32 bits\n[    2.771068]   SET = 0, FnV = 0\n[    2.771069]   EA = 0, S1PTW = 0\n[    2.771070]   FSC = 0x05: level 1 translation fault\n[    2.771071] Data abort info:\n[    2.771072]   ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000\n[    2.771073]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[    2.771074]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[    2.771075] user pgtable: 4k pages, 39-bit VAs, pgdp=00000000a3e59000\n[    2.771077] [000000000000008c] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000\n[    2.771081] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP\n[    2.771084] Dumping ftrace buffer:\n[    2.771085]    (ftrace buffer empty)\n[    2.771138] CPU: 7 PID: 486 Comm: ln Tainted: G        W   E      6.6.58-android15\n[    2.771139] Hardware name: Qualcomm Technologies, Inc. SunP QRD HDK (DT)\n[    2.771140] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n[    2.771141] pc : __uvcg_fill_strm+0x198/0x2cc\n[    2.771145] lr : __uvcg_iter_strm_cls+0xc8/0x17c\n[    2.771146] sp : ffffffc08140bbb0\n[    2.771146] x29: ffffffc08140bbb0 x28: ffffff803bc81380 x27: ffffff8023bbd250\n[    2.771147] x26: ffffff8023bbd250 x25: ffffff803c361348 x24: ffffff803d8e6768\n[    2.771148] x23: 0000000000000004 x22: 0000000000000003 x21: ffffffc08140bc48\n[    2.771149] x20: 0000000000000000 x19: ffffffc08140bc48 x18: ffffffe9f8cf4a00\n[    2.771150] x17: 000000001bf64ec3 x16: 000000001bf64ec3 x15: ffffff8023bbd250\n[    2.771151] x14: 000000000000000f x13: 004c4b40000f4240 x12: 000a2c2a00051615\n[    2.771152] x11: 000000000000004f x10: ffffffe9f76b40ec x9 : ffffffe9f7e389d0\n[    2.771153] x8 : ffffff803d0d31ce x7 : 000f4240000a2c2a x6 : 0005161500028b0a\n[    2.771154] x5 : ffffff803d0d31ce x4 : 0000000000000003 x3 : 0000000000000000\n[    2.771155] x2 : ffffffc08140bc50 x1 : ffffffc08140bc48 x0 : 0000000000000000\n[    2.771156] Call trace:\n[    2.771157]  __uvcg_fill_strm+0x198/0x2cc\n[    2.771157]  __uvcg_iter_strm_cls+0xc8/0x17c\n[    2.771158]  uvcg_streaming_class_allow_link+0x240/0x290\n[    2.771159]  configfs_symlink+0x1f8/0x630\n[    2.771161]  vfs_symlink+0x114/0x1a0\n[    2.771163]  do_symlinkat+0x94/0x28c\n[    2.771164]  __arm64_sys_symlinkat+0x54/0x70\n[    2.771164]  invoke_syscall+0x58/0x114\n[    2.771166]  el0_svc_common+0x80/0xe0\n[    2.771168]  do_el0_svc+0x1c/0x28\n[    2.771169]  el0_svc+0x3c/0x70\n[    2.771172]  el0t_64_sync_handler+0x68/0xbc\n[    2.771173]  el0t_64_sync+0x1a8/0x1ac\n\nInitialize color matching descriptor for frame-based format to prevent\nNULL pointer crash by mirroring the handling done for uncompressed and\nmjpeg formats."},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: usb: gadget: uvc: Inicializar descriptor de coincidencia de color de formato basado en frame. Se corrige el fallo del puntero nulo en uvcg_framebased_make debido a un descriptor de coincidencia de color no inicializado para el formato basado en frame, que se añadió en el commit f5e7bdd34aca (\"usb: gadget: uvc: Permitir la creación de nuevos descriptores de coincidencia de color\") que agregó el manejo para el formato sin comprimir y mjpeg. El fallo se observa cuando la configuración del espacio de usuario (a través de configfs) no define explícitamente el descriptor de coincidencia de color. Si no se encuentra color_matching, config_group_find_item() devuelve NULL. El código luego salta a out_put_cm, donde llama a config_item_put(color_matching);. Si color_matching es NULL, esto desreferenciará un puntero nulo, lo que provocará un fallo. [ 2.746440] No se puede manejar la desreferencia del puntero NULL del núcleo en la dirección virtual 000000000000008c [ 2.756273] Información de aborto de memoria: [ 2.760080] ESR = 0x0000000096000005 [ 2.764872] EC = 0x25: DABT (current EL), IL = 32 bits [ 2.771068] SET = 0, FnV = 0 [ 2.771069] EA = 0, S1PTW = 0 [ 2.771070] FSC = 0x05: level 1 translation fault [ 2.771071] Data abort info: [ 2.771072] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 [ 2.771073] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 2.771074] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 2.771075] user pgtable: 4k pages, 39-bit VAs, pgdp=00000000a3e59000 [ 2.771077] [000000000000008c] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000 [ 2.771081] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP [ 2.771084] Dumping ftrace buffer: [ 2.771085] (ftrace buffer empty) [ 2.771138] CPU: 7 PID: 486 Comm: ln Tainted: G W E 6.6.58-android15 [ 2.771139] Hardware name: Qualcomm Technologies, Inc. SunP QRD HDK (DT) [ 2.771140] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 2.771141] pc : __uvcg_fill_strm+0x198/0x2cc [ 2.771145] lr : __uvcg_iter_strm_cls+0xc8/0x17c [ 2.771146] sp : ffffffc08140bbb0 [ 2.771146] x29: ffffffc08140bbb0 x28: ffffff803bc81380 x27: ffffff8023bbd250 [ 2.771147] x26: ffffff8023bbd250 x25: ffffff803c361348 x24: ffffff803d8e6768 [ 2.771148] x23: 0000000000000004 x22: 0000000000000003 x21: ffffffc08140bc48 [ 2.771149] x20: 0000000000000000 x19: ffffffc08140bc48 x18: ffffffe9f8cf4a00 [ 2.771150] x17: 000000001bf64ec3 x16: 000000001bf64ec3 x15: ffffff8023bbd250 [ 2.771151] x14: 000000000000000f x13: 004c4b40000f4240 x12: 000a2c2a00051615 [ 2.771152] x11: 000000000000004f x10: ffffffe9f76b40ec x9 : ffffffe9f7e389d0 [ 2.771153] x8 : ffffff803d0d31ce x7 : 000f4240000a2c2a x6 : 0005161500028b0a [ 2.771154] x5 : ffffff803d0d31ce x4 : 0000000000000003 x3 : 0000000000000000 [ 2.771155] x2 : ffffffc08140bc50 x1 : ffffffc08140bc48 x0 : 0000000000000000 [ 2.771156] Call trace: [ 2.771157] __uvcg_fill_strm+0x198/0x2cc [ 2.771157] __uvcg_iter_strm_cls+0xc8/0x17c [ 2.771158] uvcg_streaming_class_allow_link+0x240/0x290 [ 2.771159] configfs_symlink+0x1f8/0x630 [ 2.771161] vfs_symlink+0x114/0x1a0 [ 2.771163] do_symlinkat+0x94/0x28c [ 2.771164] __arm64_sys_symlinkat+0x54/0x70 [ 2.771164] invoke_syscall+0x58/0x114 [ 2.771166] el0_svc_common+0x80/0xe0 [ 2.771168] do_el0_svc+0x1c/0x28 [ 2.771169] el0_svc+0x3c/0x70 [ 2.771172] el0t_64_sync_handler+0x68/0xbc [ 2.771173] el0t_64_sync+0x1a8/0x1ac Inicializa el descriptor de coincidencia de color para el formato basado en frame para evitar el bloqueo del puntero NULL reflejando el manejo realizado para los formatos sin comprimir y mjpeg."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-476"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.15.10","matchCriteriaId":"5890C690-B295-40C2-9121-FF5F987E5142"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.16","versionEndExcluding":"6.16.1","matchCriteriaId":"58182352-D7DF-4CC9-841E-03C1D852C3FB"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/323a80a1a5ace319a722909c006d5bdb2a35d273","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/6db61c1aa23075eeee90e083ca3f6567a5635da6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/7f8576fc9d1a203d12474bf52710c7af68cae490","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}}]}