CVE-2025-40121

Vulnerability

Analysis

CVE-2025-40121 is a vulnerability in the Linux kernel's ASoC (ALSA System on Chip) Intel Bay Trail/Cherry Trail RT5651 audio machine driver (bytcr_rt5651). The root cause is the absence of input validation when processing the quirk module parameter. Passing an invalid value through this option could lead to unexpected behavior, including out-of-bounds (OOB) memory access, as the driver previously accepted the value without any sanity check [1][2][3][4].

Exploitation

To exploit this issue, an attacker must have the ability to modify kernel module parameters, typically requiring local access or the ability to influence boot parameters via platforms where the driver is loaded with a crafted quirk value. No authentication is needed from the attacker's perspective if they possess sufficient privileges to set the parameter, but exploitation is local in nature, not remotely accessible over a network [1][2][3][4].

Impact

A successful exploitation could result in out-of-bounds memory access, potentially leading to system instability, information disclosure, or code execution, depending on the specific invalid value used. The vulnerability primarily affects systems using Intel Bay Trail or Cherry Trail SoCs with a Realtek RT5651 audio codec [1][2][3][4].

Mitigation

The vulnerability has been patched in the Linux kernel by committing a sanity check that corrects an invalid input mapping to a safe default value [1][2][3][4]. Users should update to a kernel version containing the fix (commits referenced) to eliminate the risk.