CVE-2025-40085

Vulnerability

In the Linux kernel's ALSA USB audio subsystem, the function try_to_register_card() in sound/usb/card.c calls usb_ifnum_to_if() and passes its return value directly to usb_interface_claimed() without verifying that the returned pointer is not NULL. When an invalid USB audio device is presented, usb_ifnum_to_if() can return NULL, leading to a NULL pointer dereference [1][2][3][4].

Exploitation

An attacker with physical access or the ability to connect a malicious USB device can craft an invalid USB audio descriptor that causes the kernel to attempt registration with a non-existent interface number. No special privileges are required beyond the ability to attach a USB device; the vulnerability triggers during the normal enumeration and driver binding process.

Impact

A successful exploit results in a kernel NULL pointer dereference, causing a system crash (denial of service). The vulnerability does not appear to allow arbitrary code execution or privilege escalation based on the available information.

Mitigation

The fix adds a NULL check before calling usb_interface_claimed(), ensuring that a valid interface pointer is present. The patch has been applied to the stable kernel trees [1][2][3][4]. Users should update to a kernel version containing the fix.