CVE-2025-71286

Root

Cause

The vulnerability resides in the ASoC: SOF: ipc4-topology component of the Linux kernel. The function responsible for allocating memory for bytes controls incorrectly sized the allocation. The required memory should be the sum of [1] sizeof(struct sof_ipc4_control_data) (kernel-only struct) plus [2] sizeof(struct sof_abi_hdr) + payload. However, the allocation only used max_size, which represents part [2], and omitted the size of the kernel struct. This insufficient allocation can lead to memory corruption or out-of-bounds writes when data is copied into the buffer [1].

Exploitation

An attacker would need to provide a crafted topology file that specifies a max_size for bytes controls. When the kernel processes this topology and allocates memory for the control data, the allocation will be too small. Subsequent operations that write or read the full expected data size can exceed the allocated buffer boundaries. Exploitation likely requires local access to load a malicious topology, or the ability to influence topology loading via elevated privileges [2][3].

Impact

Successful exploitation could lead to memory corruption, potentially causing denial of service (system crash) or, in more severe scenarios, privilege escalation if the out-of-bounds access can be used to overwrite sensitive kernel structures. The CVSS v3 score of 5.5 (Medium) reflects the need for local access and the potential for integrity or availability impact [4].

Mitigation

The fix was applied in the Linux kernel stable tree, as shown in the referenced commits. Users should update their kernel to a version that includes the patch, where the allocation now correctly accounts for the full size of the control data structure [3][4].