CVE-2025-38226 Affecting kernel-source-coco package, versions <6.4.0-15061.28.coco15sp6.1
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-SLES156-KERNELSOURCECOCO-12099449
- published21 Aug 2025
- disclosed20 Aug 2025
Introduced: 20 Aug 2025
CVE-2025-38226 (opens in a new tab)How to fix?
Upgrade SLES:15.6 kernel-source-coco to version 6.4.0-15061.28.coco15sp6.1 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream kernel-source-coco package and not the kernel-source-coco package as distributed by SLES.
See How to fix? for SLES:15.6 relevant fixed versions and status.
In the Linux kernel, the following vulnerability has been resolved:
media: vivid: Change the siize of the composing
syzkaller found a bug:
BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2608 [inline] BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_buffer+0x1a9c/0x5af0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2705 Write of size 1440 at addr ffffc9000d0ffda0 by task vivid-000-vid-c/5304
CPU: 0 UID: 0 PID: 5304 Comm: vivid-000-vid-c Not tainted 6.14.0-rc2-syzkaller-00039-g09fbf3d50205 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 kasan_check_range+0x282/0x290 mm/kasan/generic.c:189 __asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106 tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2608 [inline] tpg_fill_plane_buffer+0x1a9c/0x5af0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2705 vivid_fillbuff drivers/media/test-drivers/vivid/vivid-kthread-cap.c:470 [inline] vivid_thread_vid_cap_tick+0xf8e/0x60d0 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:629 vivid_thread_vid_cap+0x8aa/0xf30 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:767 kthread+0x7a9/0x920 kernel/kthread.c:464 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK>
The composition size cannot be larger than the size of fmt_cap_rect. So execute v4l2_rect_map_inside() even if has_compose_cap == 0.
References
- https://www.suse.com/security/cve/CVE-2025-38226.html
- https://bugzilla.suse.com/1246050
- https://git.kernel.org/stable/c/00da1c767a6567e56f23dda586847586868ac064
- https://git.kernel.org/stable/c/5d89aa42534723400fefd46e26e053b9c382b4ee
- https://git.kernel.org/stable/c/635cea4f44c1ddae208666772c164eab5a6bce39
- https://git.kernel.org/stable/c/89b5ab822bf69867c3951dd0eb34b0314c38966b
- https://git.kernel.org/stable/c/c56398885716d97ee9bcadb2bc9663a8c1757a34
- https://git.kernel.org/stable/c/f6b1b0f8ba0b61d8b511df5649d57235f230c135
- https://git.kernel.org/stable/c/f83ac8d30c43fd902af7c84c480f216157b60ef0
- https://git.kernel.org/stable/c/57597d8db5bbda618ba2145b7e8a7e6f01b6a27e