CVE-2025-40275
Description
In the Linux kernel, the following vulnerability has been resolved:
ALSA: usb-audio: Fix NULL pointer dereference in snd_usb_mixer_controls_badd
In snd_usb_create_streams(), for UAC version 3 devices, the Interface Association Descriptor (IAD) is retrieved via usb_ifnum_to_if(). If this call fails, a fallback routine attempts to obtain the IAD from the next interface and sets a BADD profile. However, snd_usb_mixer_controls_badd() assumes that the IAD retrieved from usb_ifnum_to_if() is always valid, without performing a NULL check. This can lead to a NULL pointer dereference when usb_ifnum_to_if() fails to find the interface descriptor.
This patch adds a NULL pointer check after calling usb_ifnum_to_if() in snd_usb_mixer_controls_badd() to prevent the dereference.
This issue was discovered by syzkaller, which triggered the bug by sending a crafted USB device descriptor.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A NULL pointer dereference in the Linux kernel's ALSA USB audio driver for UAC3 devices can be triggered by a crafted USB descriptor, causing a crash.
Vulnerability
Description
In the Linux kernel, the ALSA USB audio driver's snd_usb_mixer_controls_badd() function assumes that usb_ifnum_to_if() always returns a valid pointer. For UAC3 devices, when the Interface Association Descriptor (IAD) retrieval fails via snd_usb_create_streams(), a fallback routine sets a BADD profile. However, snd_usb_mixer_controls_badd() does not check if usb_ifnum_to_if() returns NULL, leading to a NULL pointer dereference [1].
Exploitation
Prerequisites
The vulnerability can be triggered by a physically present or hot-plugged malicious USB device that provides a crafted USB device descriptor. No authentication or special privileges are required; an attacker only needs the ability to connect a USB device to the target system [1].
Impact
Successful exploitation results in a kernel NULL pointer dereference, causing a system crash (denial of service). The vulnerability does not appear to allow arbitrary code execution; it is limited to causing a kernel oops [1].
Mitigation
The issue was discovered by syzkaller and is fixed in the Linux kernel stable updates. Users should apply the latest kernel patches to prevent exploitation. The fix adds a NULL check after usb_ifnum_to_if() in snd_usb_mixer_controls_badd() [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
823aea9c74aeec5c08965ab969f282104627b2762d3ea9c9257f607c11296cbdbfc756f29855685358936632108ec072aVulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- git.kernel.org/stable/c/23aea9c74aeea2625aaf4fbcc6beb9d09e30f9e4nvd
- git.kernel.org/stable/c/2762d3ea9c929ca4094541ca517c317ffa94625bnvd
- git.kernel.org/stable/c/57f607c112966c21240c424b33e2cb71e121dcf0nvd
- git.kernel.org/stable/c/632108ec072ad64c8c83db6e16a7efee29ebfb74nvd
- git.kernel.org/stable/c/85568535893600024d7d8794f4f8b6428b521e0cnvd
- git.kernel.org/stable/c/9f282104627be5fbded3102ff9004f753c55a063nvd
- git.kernel.org/stable/c/c5c08965ab96b16361e69a1e2a0e89dbcb99b5a6nvd
- git.kernel.org/stable/c/cbdbfc756f2990942138ed0138da9303b4dbf9ffnvd
News mentions
0No linked articles in our index yet.