CVE-2025-23159: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-23159 is a vulnerability discovered in the Linux kernel's media subsystem, specifically affecting the Venus HFI component. The vulnerability was disclosed on May 1, 2025, and impacts various Linux distributions including Debian and Ubuntu. The issue exists in the shared memory handling where sfr->buf_size parameter can be manipulated by malicious users (NVD).

The vulnerability resides in the Linux kernel's media Venus HFI component where the sfr->buf_size parameter, stored in shared memory, can be manipulated to exceed the actual size of the sfr data buffer. This manipulation can lead to an out-of-bounds write condition when the size is made higher than the actual allocated buffer size (Wiz).

The vulnerability could allow a malicious user to perform out-of-bounds write operations by manipulating the buffer size in shared memory, potentially leading to memory corruption. This affects multiple Linux distributions including Ubuntu versions 20.04 LTS through 25.04 and various Debian releases (Ubuntu, Debian Tracker).

The vulnerability has been fixed in Linux kernel version 6.1.135-1 for Debian bookworm and 6.12.25-1 for Debian sid. The fix implements a check to cap the size to the allocated size for the sfr data buffer (Debian Tracker).