CVE-2025-40097

In the Linux kernel's ALSA HDA subsystem, the function hda_component_manager_init calls component_match_add, which internally invokes __component_match_add. This function may assign ERR_PTR(-ENOMEM) to the matchptr pointer when memory allocation fails, and this error pointer is later dereferenced without validation, leading to a kernel crash [1].

Root

Cause and Exploitation The issue lies in the absence of an IS_ERR() check on the matchptr pointer after the call to __component_match_add. The pointer is subsequently used in component_master_add_with_match, which calls component_match_realloc that dereferences the invalid pointer. This flaw can be triggered on systems with constrained memory, where a memory allocation failure occurs during the component matching process. An attacker would need the ability to cause memory pressure on the target system, which could be achieved through local access or by exhausting system memory remotely if the attack surface is exposed [1].

Impact

A successful exploitation results in a denial of service (DoS) via a null pointer dereference or use of an invalid error pointer, causing a kernel panic. This leads to system instability and potential data loss if the crash occurs during critical operations [1].

Mitigation

A fix has been applied in the kernel stable tree commit 47d1b9ca923b55c3f407788f1f15b04957e0e027, which adds the missing IS_ERR() check. Users are advised to update their Linux kernel to a version containing this patch or backport the fix. The vulnerability was discovered by the Linux Verification Center (linuxtesting.org) using the SVACE static analysis tool [1].