CVE-2025-40162

Vulnerability

Overview

CVE-2025-40162 is a NULL pointer dereference vulnerability in the Linux kernel's ASoC (ALSA System on Chip) subsystem, specifically in the amd/sdw_utils driver. The root cause is that the function devm_kasprintf() can return NULL return value is not checked before it is used in a dev_dbg() call that prints cpus->dai_name. If memory allocation fails, devm_kasprintf() returns NULL, leading to a NULL pointer dereference when the debug message is printed [1][2].

Exploitation

Exploitation requires a local attacker to trigger a memory allocation failure in the kernel, which can be achieved by exhausting system memory or through other means that cause devm_kasprintf() to fail. No special privileges are needed beyond the ability to trigger the code path, but the attack surface is limited to systems where the affected SoundWire machine driver is in use. The vulnerability is a classic use-before-check pattern.

Impact

A successful exploit results in a NULL pointer dereference, causing a kernel crash (denial of service). The impact is limited to system availability; there is no evidence of privilege escalation or data corruption from this bug.

Mitigation

The fix has been applied to the Linux kernel stable tree in commits [1] and [2]. Users should update to a kernel version containing these commits. No workaround is available; the fix is a simple reorder of the debug print after the NULL check.