{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-71140", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:30:19.660Z", "datePublished": "2026-01-14T15:07:53.581Z", "dateUpdated": "2026-01-14T15:07:53.581Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-01-14T15:07:53.581Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mediatek: vcodec: Use spinlock for context list protection lock\n\nPreviously a mutex was added to protect the encoder and decoder context\nlists from unexpected changes originating from the SCP IP block, causing\nthe context pointer to go invalid, resulting in a NULL pointer\ndereference in the IPI handler.\n\nTurns out on the MT8173, the VPU IPI handler is called from hard IRQ\ncontext. This causes a big warning from the scheduler. This was first\nreported downstream on the ChromeOS kernels, but is also reproducible\non mainline using Fluster with the FFmpeg v4l2m2m decoders. Even though\nthe actual capture format is not supported, the affected code paths\nare triggered.\n\nSince this lock just protects the context list and operations on it are\nvery fast, it should be OK to switch to a spinlock."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/media/platform/mediatek/vcodec/common/mtk_vcodec_fw_vpu.c", "drivers/media/platform/mediatek/vcodec/decoder/mtk_vcodec_dec_drv.c", "drivers/media/platform/mediatek/vcodec/decoder/mtk_vcodec_dec_drv.h", "drivers/media/platform/mediatek/vcodec/decoder/vdec_vpu_if.c", "drivers/media/platform/mediatek/vcodec/encoder/mtk_vcodec_enc_drv.c", "drivers/media/platform/mediatek/vcodec/encoder/mtk_vcodec_enc_drv.h", "drivers/media/platform/mediatek/vcodec/encoder/venc_vpu_if.c"], "versions": [{"version": "0a2dc707aa42214f9c4827bd57e344e29a0841d6", "lessThan": "2c1ea6214827041f548279c9eda341eda0cc8351", "status": "affected", "versionType": "git"}, {"version": "6467cda18c9f9b5f2f9a0aa1e2861c653e41f382", "lessThan": "b92c19675f632a41af1222027a231bc2b7efa7ed", "status": "affected", "versionType": "git"}, {"version": "6467cda18c9f9b5f2f9a0aa1e2861c653e41f382", "lessThan": "3e858938b0e659f6ec9ddcf853a87f1c5c3f44e1", "status": "affected", "versionType": "git"}, {"version": "6467cda18c9f9b5f2f9a0aa1e2861c653e41f382", "lessThan": "a5844227e0f030d2af2d85d4aed10c5eca6ca176", "status": "affected", "versionType": "git"}, {"version": "23aaf824121055ba81b55f75444355bd83c8eb38", "status": "affected", "versionType": "git"}, {"version": "41671f0c0182b2bae74ca7e3b0f155559e3e2fc5", "status": "affected", "versionType": "git"}, {"version": "51c84a8aac6e3b59af2b0e92ba63cabe2e641a2d", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/media/platform/mediatek/vcodec/common/mtk_vcodec_fw_vpu.c", "drivers/media/platform/mediatek/vcodec/decoder/mtk_vcodec_dec_drv.c", "drivers/media/platform/mediatek/vcodec/decoder/mtk_vcodec_dec_drv.h", "drivers/media/platform/mediatek/vcodec/decoder/vdec_vpu_if.c", "drivers/media/platform/mediatek/vcodec/encoder/mtk_vcodec_enc_drv.c", "drivers/media/platform/mediatek/vcodec/encoder/mtk_vcodec_enc_drv.h", "drivers/media/platform/mediatek/vcodec/encoder/venc_vpu_if.c"], "versions": [{"version": "6.9", "status": "affected"}, {"version": "0", "lessThan": "6.9", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.120", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.64", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.4", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19-rc1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6.27", "versionEndExcluding": "6.6.120"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.9", "versionEndExcluding": "6.12.64"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.9", "versionEndExcluding": "6.18.4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.9", "versionEndExcluding": "6.19-rc1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.8.6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6.27"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.8.6"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/2c1ea6214827041f548279c9eda341eda0cc8351"}, {"url": "https://git.kernel.org/stable/c/b92c19675f632a41af1222027a231bc2b7efa7ed"}, {"url": "https://git.kernel.org/stable/c/3e858938b0e659f6ec9ddcf853a87f1c5c3f44e1"}, {"url": "https://git.kernel.org/stable/c/a5844227e0f030d2af2d85d4aed10c5eca6ca176"}], "title": "media: mediatek: vcodec: Use spinlock for context list protection lock", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mediatek: vcodec: Use spinlock for context list protection lock\n\nPreviously a mutex was added to protect the encoder and decoder context\nlists from unexpected changes originating from the SCP IP block, causing\nthe context pointer to go invalid, resulting in a NULL pointer\ndereference in the IPI handler.\n\nTurns out on the MT8173, the VPU IPI handler is called from hard IRQ\ncontext. This causes a big warning from the scheduler. This was first\nreported downstream on the ChromeOS kernels, but is also reproducible\non mainline using Fluster with the FFmpeg v4l2m2m decoders. Even though\nthe actual capture format is not supported, the affected code paths\nare triggered.\n\nSince this lock just protects the context list and operations on it are\nvery fast, it should be OK to switch to a spinlock."}], "id": "CVE-2025-71140", "lastModified": "2026-01-14T16:25:12.057", "metrics": {}, "published": "2026-01-14T15:16:03.793", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/2c1ea6214827041f548279c9eda341eda0cc8351"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/3e858938b0e659f6ec9ddcf853a87f1c5c3f44e1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a5844227e0f030d2af2d85d4aed10c5eca6ca176"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/b92c19675f632a41af1222027a231bc2b7efa7ed"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{}

{}