CVE-2025-40154

CVE-2025-40154 is a vulnerability in the Linux kernel's ASoC Intel bytcr_rt5640 driver. The driver accepts a quirk option, but when an invalid value is provided, it only logs an error message without correcting the input. This leaves internal data structures in an inconsistent state, potentially leading to out-of-bounds (OOB) memory access [1][2][3].

The attack surface is local; an attacker with the ability to pass a malformed quirk value to the driver (e.g., through a module parameter or device configuration) can trigger the flaw. No authentication is required beyond the ability to load the driver or modify its parameters, which on many systems is accessible to users with limited privileges. The lack of input validation means the driver does not reject or sanitize invalid values [1][2][3].

An attacker exploiting this could cause an OOB read or write, which may result in system instability, information disclosure, or privilege escalation. The impact is similar to other memory safety bugs in the kernel. The official fix, committed to multiple stable kernel branches, corrects the input mapping by setting invalid values to a certain default, preventing the out-of-bounds condition [1][2][3].

Patches are available in the upstream Linux kernel and recommended for inclusion in all affected distributions. Users should update their kernels to incorporate the fix, which resolves the vulnerability by ensuring that invalid quirk input is safely defaulted rather than left unchecked.