CVE-2025-40344

Vulnerability

In the Linux kernel's ASoC Intel AVS (AudioDSP) driver, a use-after-free vulnerability exists in the PCM close path. The function avs_dai_fe_shutdown() handles the shutdown procedure for HOST HDAudio streams and frees the DAI's private context. However, a period-elapsed workqueue that services IRQs may still be running concurrently, accessing the freed memory. This race condition can lead to slab-use-after-free errors.

Exploitation

An attacker with local access to the system can trigger this vulnerability by opening and closing a PCM audio stream while audio operations are being performed. No special privileges are required beyond the ability to interact with ALSA audio devices. The race condition is time-sensitive and may require repeated attempts to trigger, but it is exploitable from user space.

Impact

Successful exploitation of this use-after-free can cause memory corruption, leading to system instability, denial of service (crash), or potentially privilege escalation if an attacker can control the freed memory to execute arbitrary code. The vulnerability is rated with a moderate severity due to the requirement of local access and timing.

Mitigation

The issue has been fixed in the Linux kernel with commits [1], [2], and [3] applied to stable branches. Users should update their kernel to a version containing these patches. No workarounds are available; updating is the recommended action.