CVE-2025-40098
Description
In the Linux kernel, the following vulnerability has been resolved:
ALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_get_acpi_mute_state()
Return value of a function acpi_evaluate_dsm() is dereferenced without checking for NULL, but it is usually checked for this function.
acpi_evaluate_dsm() may return NULL, when acpi_evaluate_object() returns acpi_status other than ACPI_SUCCESS, so add a check to prevent the crach.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel, a NULL pointer dereference in cs35l41_get_acpi_mute_state() when acpi_evaluate_dsm() returns NULL can lead to a crash.
Root
Cause Analysis
CVE-2025-40098 addresses a NULL pointer dereference vulnerability found in the Linux kernel's cs35l41 audio driver, specifically in the function cs35l41_get_acpi_mute_state(). The issue arises because the return value of acpi_evaluate_dsm() is dereferenced without a prior NULL check. According to the official description, acpi_evaluate_dsm() may return NULL if acpi_evaluate_object() returns an ACPI status other than ACPI_SUCCESS. This oversight can lead to a null pointer dereference, crashing the system. The vulnerability was discovered by the Linux Verification Center (linuxtesting.org) using the SVACE static analysis tool [1].
Exploitation
Prerequisites
This vulnerability is triggered locally within the kernel's ACPI subsystem when the cs35l41 driver is loaded and attempts to retrieve ACPI mute state information. The attacker must have the ability to influence the ACPI evaluation, which typically requires either local access to the system or the ability to manipulate ACPI tables. However, the primary attack vector is considered local, as a crafted or malfunctioning ACPI object could cause the NULL pointer dereference. No authentication is explicitly required if the attacker can load arbitrary ACPI data; however, in typical scenarios, the attacker needs to be able to execute code or commands that trigger the vulnerable driver path.
Impact
Assessment
The impact is a denial of service (system crash) due to a NULL pointer dereference. An attacker who successfully triggers this vulnerability can cause the kernel to panic, leading to an immediate system crash (denial of service). The CVSS score and vector are not provided in the input, but the vulnerability is classified as a crash potential. There is no indication of privilege escalation or data leakage.
Mitigation and
Patch Status
A fix is available in the Linux kernel stable tree and is included in the commit referenced in the advisory [1]. Users are advised to update their kernel to include the patch that adds a NULL check on the return value of acpi_evaluate_dsm() before dereferencing. No workarounds are mentioned, but disabling the cs35l41 driver if not needed may prevent exposure.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
2b518386db2b98527bbb33936Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.