CVE-2025-68281

Vulnerability

Overview

In the Linux kernel's ASoC SDCA (SoundWire SDCA) subsystem, the struct sdca_control declares its values field as an integer array, but the memory allocated to it is of char array. This mismatch leads to a crash when the sdca_parse_function API attempts to access the array as integers, causing out-of-bounds reads or writes.

Exploitation

An attacker would need to trigger the parsing of a crafted MIPI SDCA control list, likely through a malicious audio device or by injecting a malformed control descriptor. No authentication is required if the attacker can physically connect a device or if the system processes untrusted control data from a compromised peripheral.

Impact

Successful exploitation results in a kernel crash (denial of service). The vulnerability could potentially be leveraged for arbitrary code execution if the memory corruption is carefully controlled, though the patch description only mentions a crash.

Mitigation

The fix [1] corrects the allocation size by using sizeof(int) instead of sizeof(char). The patch has been applied to the stable kernel tree. Users should update to a kernel version containing this commit or apply the backport.