CVE-2025-21996

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/radeon: fix uninitialized size issue in radeon_vce_cs_parse()<br /> <br /> On the off chance that command stream passed from userspace via<br /> ioctl() call to radeon_vce_cs_parse() is weirdly crafted and<br /> first command to execute is to encode (case 0x03000001), the function<br /> in question will attempt to call radeon_vce_cs_reloc() with size<br /> argument that has not been properly initialized. Specifically, &amp;#39;size&amp;#39;<br /> will point to &amp;#39;tmp&amp;#39; variable before the latter had a chance to be<br /> assigned any value.<br /> <br /> Play it safe and init &amp;#39;tmp&amp;#39; with 0, thus ensuring that<br /> radeon_vce_cs_reloc() will catch an early error in cases like these.<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with static<br /> analysis tool SVACE.<br /> <br /> (cherry picked from commit 2d52de55f9ee7aaee0e09ac443f77855989c6b68)