LiveActive security incident?Get immediate response
CVE Record

CVE-2025-22028: media: vimc: skip .s_stream() for stopped entities

In the Linux kernel, the following vulnerability has been resolved: media: vimc: skip .s_stream() for stopped entities Syzbot reported [1] a warning prompted by a check in call_s_stream() that checks whether .s_stream() operation is warranted for unstarted or stopped subdevs. Add a simple fix in vimc_streamer_pipeline_terminate() ensuring that entities skip a call to .s_stream() unless they have been previously properly started. [1] Syzbot report: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 5933 at drivers/media/v4l2-core/v4l2-subdev.c:460 call_s_stream+0x2df/0x350 drivers/media/v4l2-core/v4l2-subdev.c:460 Modules linked in: CPU: 0 UID: 0 PID: 5933 Comm: syz-executor330 Not tainted 6.13.0-rc2-syzkaller-00362-g2d8308bf5b67 #0 ... Call Trace: <TASK> vimc_streamer_pipeline_terminate+0x218/0x320 drivers/media/test-drivers/vimc/vimc-streamer.c:62 vimc_streamer_pipeline_init drivers/media/test-drivers/vimc/vimc-streamer.c:101 [inline] vimc_streamer_s_stream+0x650/0x9a0 drivers/media/test-drivers/vimc/vimc-streamer.c:203 vimc_capture_start_streaming+0xa1/0x130 drivers/media/test-drivers/vimc/vimc-capture.c:256 vb2_start_streaming+0x15f/0x5a0 drivers/media/common/videobuf2/videobuf2-core.c:1789 vb2_core_streamon+0x2a7/0x450 drivers/media/common/videobuf2/videobuf2-core.c:2348 vb2_streamon drivers/media/common/videobuf2/videobuf2-v4l2.c:875 [inline] vb2_ioctl_streamon+0xf4/0x170 drivers/media/common/videobuf2/videobuf2-v4l2.c:1118 __video_do_ioctl+0xaf0/0xf00 drivers/media/v4l2-core/v4l2-ioctl.c:3122 video_usercopy+0x4d2/0x1620 drivers/media/v4l2-core/v4l2-ioctl.c:3463 v4l2_ioctl+0x1ba/0x250 drivers/media/v4l2-core/v4l2-dev.c:366 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl fs/ioctl.c:892 [inline] __x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f2b85c01b19 ...

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

CVE-2025-22028 is a Linux kernel issue in the VIMC virtual media test driver. The evidence shows a syzbot-triggered kernel warning when stream shutdown calls a media subdevice operation for an entity that was not properly started. No public source in the bundle shows active exploitation, data theft, or remote attack impact.

Executive priority

Treat this as a kernel maintenance item unless local evidence shows VIMC is exposed in sensitive systems. Prioritize through normal kernel patch cycles, with faster action for shared hosts, test infrastructure, or systems that enable media test drivers.

Technical view

The flaw is in drivers/media/test-drivers/vimc/vimc-streamer.c. During pipeline termination, vimc_streamer_pipeline_terminate() could call .s_stream() on stopped or unstarted entities, triggering the v4l2 call_s_stream() warning. Kernel stable commits add a guard so only previously started entities receive the stop-stream call.

Likely exposure

Exposure appears limited to Linux systems running affected kernel builds with the VIMC media test driver present and usable. The bundle lists Linux as affected across several kernel lines, but does not provide distro package names, CPEs, CVSS, or deployment prevalence.

Exploitation context

The cited evidence is a syzbot report reaching the issue through V4L2 streaming paths and a kernel fix. The bundle marks KEV as false and provides no cited evidence of exploitation in the wild or weaponized public exploit activity.

Researcher notes

The source bundle does not establish memory corruption, privilege escalation, or denial-of-service beyond a kernel warning. Analysis should focus on whether downstream kernels ship VIMC, whether it is reachable by unprivileged users, and whether vendor patches map to the listed stable commits.

Mitigation direction

  • Check Linux distribution advisories for packages containing the referenced stable fixes.
  • Update affected kernels once vendor-supported fixed builds are available.
  • Review whether VIMC is enabled or loaded on production systems.
  • If VIMC is unnecessary, follow vendor guidance for disabling unused test drivers.

Validation and detection

  • Inventory kernel versions and compare against vendor fixed package guidance.
  • Check kernel configuration or loaded modules for VIMC media test driver presence.
  • Confirm patched kernels include one of the referenced stable commits or downstream equivalent.
  • Review media-device access controls for users allowed to exercise V4L2 streaming paths.
Prepared
Confidence
medium
Sources
7

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2025-22028 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
0ADP providers
6Source links

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinuxadc589d2a20808fb99d46a78175cd023f2040338, adc589d2a20808fb99d46a78175cd023f2040338, adc589d2a20808fb99d46a78175cd023f2040338, adc589d2a20808fb99d46a78175cd023f2040338, adc589d2a20808fb99d46a78175cd023f2040338, 77fbb561bb09f56877dd84318212da393909975f, 73236bf581e96eb48808fea522351ed81e24c9cc, e7ae48ae47227c0302b9f4b15a5bf45934a55673, 4.14.108, 4.19.31, 5.0.4unaffected
LinuxLinux5.1, 0, 6.6.89, 6.12.23, 6.13.11, 6.14.2, 6.15affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.