CVE-2025-40045

Vulnerability

Overview

In the Linux kernel's ASoC subsystem, the wcd937x codec driver contains a bug where the SoundWire port numbers for the HPHL_COMP and HPHR_COMP channels are incorrectly set to zero. This occurs during initialization when the driver configures the codec's audio paths. The root cause is a missing or incorrect assignment in the code that maps these compensation channels to their respective SoundWire ports [1].

Exploitation

Conditions

An attacker would need to have the ability to trigger the codec initialization sequence, which typically requires local access to the system or the ability to load/unload the driver. The vulnerability is triggered during normal operation when the codec is initialized or when audio paths are reconfigured. No special privileges beyond the ability to interact with the audio subsystem are required, but the attack surface is limited to systems using the wcd937x codec (commonly found in certain mobile platforms) [1].

Impact

If exploited, the zero port value leads to an out-of-bounds access when the driver attempts to use the port number as an index into the port_map array. Specifically, accessing the -1th element (due to zero-based indexing) can cause memory corruption, potentially leading to a system crash or denial of service. In more severe cases, this could be leveraged for privilege escalation, though the description does not confirm code execution [1].

Mitigation

The fix has been applied in the Linux kernel stable tree via commit 1a1ca38392e7. Users are advised to update their kernels to include this patch. No workaround is mentioned, and the vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog as of publication [1].