Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-68812

CVE-2025-68812: Linux Kernel Media Iris DoS Vulnerability

CVE-2025-68812 is a denial of service flaw in the Linux kernel media iris driver that can cause system crashes due to improper stream handling. This article covers technical details, affected versions, and mitigations.

Updated:

CVE-2025-68812 Overview

A use-after-free vulnerability has been identified in the Linux kernel's media iris driver, specifically in the iris_vb2_stop_streaming function. The vulnerability occurs due to a missing sanity check that allows stream_off operations to proceed even when the instance state is already in an error condition (IRIS_INST_ERROR). This can lead to a kernel crash when accessing freed memory.

Critical Impact

Exploitation of this vulnerability can cause a kernel crash through accessing freed memory, potentially leading to system instability and denial of service.

Affected Products

  • Linux kernel with media iris driver support
  • Systems using Qualcomm media hardware with iris driver

Discovery Timeline

  • 2026-01-13 - CVE CVE-2025-68812 published to NVD
  • 2026-01-13 - Last updated in NVD database

Technical Details for CVE-2025-68812

Vulnerability Analysis

This vulnerability represents a classic use-after-free condition in the Linux kernel's media subsystem. The iris driver, used for media streaming operations, lacks proper state validation before executing stop streaming operations. When iris_kill_session is called, it sets the instance state to IRIS_INST_ERROR and proceeds to execute session_close, which frees the memory allocated for inst_hfi_gen2->packet using kfree().

The critical issue arises when stop_streaming is subsequently called on an instance that has already been marked as IRIS_INST_ERROR. Without proper validation, the function attempts to send packets to the firmware using the already-freed packet structure, resulting in a use-after-free condition that triggers a kernel crash.

Root Cause

The root cause of this vulnerability is the absence of a sanity check in the iris_vb2_stop_streaming function to verify the instance state before proceeding with stream_off operations. The function should verify that inst->state is not already set to IRIS_INST_ERROR before attempting to access or use the packet structure that may have been freed during a prior error handling sequence in iris_kill_session.

Attack Vector

The attack vector for this vulnerability involves triggering a race condition or sequence of events that causes iris_kill_session to be called while streaming operations are still active. An attacker with local access to the system could potentially:

  1. Initiate a media streaming session using the iris driver
  2. Trigger an error condition that invokes iris_kill_session
  3. Immediately call stop_streaming before the system fully handles the error state
  4. This sequence causes the driver to access the freed inst_hfi_gen2->packet memory, resulting in a kernel crash

The vulnerability requires local access to the system and the ability to interact with the media subsystem. The attack mechanism exploits the lack of synchronization between error handling and normal streaming teardown operations.

Detection Methods for CVE-2025-68812

Indicators of Compromise

  • Unexpected kernel crashes or system reboots when stopping media streams
  • Kernel panic messages referencing iris_vb2_stop_streaming or related iris driver functions
  • Use-after-free reports from kernel sanitizers (KASAN) in the media/iris subsystem
  • System logs showing media streaming errors followed by crashes

Detection Strategies

  • Enable Kernel Address Sanitizer (KASAN) to detect use-after-free conditions in the iris driver
  • Monitor kernel logs for crashes or warnings in the media/iris subsystem components
  • Deploy endpoint detection solutions capable of monitoring kernel-level anomalies
  • Implement crash dump analysis to identify patterns indicative of this vulnerability

Monitoring Recommendations

  • Configure kernel crash monitoring to alert on panics in media driver code paths
  • Enable kernel debug options to trace iris driver state transitions
  • Monitor for unusual patterns in media streaming session lifecycle events
  • Implement file integrity monitoring on kernel modules related to media drivers

How to Mitigate CVE-2025-68812

Immediate Actions Required

  • Update to a patched version of the Linux kernel that includes the sanity check fix
  • If patching is not immediately possible, consider disabling or unloading the iris driver module if not required
  • Monitor systems for signs of exploitation attempts or unexpected crashes
  • Review and restrict local access to systems with the vulnerable driver

Patch Information

The fix has been merged into the Linux kernel stable tree. The patch adds a sanity check in iris_vb2_stop_streaming to verify that inst->state is not IRIS_INST_ERROR before proceeding with stream_off operations. This prevents the use-after-free condition by skipping the problematic code path when the instance is already in an error state.

Reference commits are available:

Workarounds

  • Unload the iris driver module (rmmod iris) if media streaming functionality is not required
  • Restrict access to media devices at the file permission level to limit potential attackers
  • Implement security policies to prevent untrusted users from accessing media streaming interfaces
  • Consider using kernel lockdown features to restrict direct interaction with kernel modules

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.