CVE-2026-43478
Description
In the Linux kernel, the following vulnerability has been resolved:
ASoC: codecs: rt1011: Use component to get the dapm context in spk_mode_put
The correct helper to use in rt1011_recv_spk_mode_put() to retrieve the DAPM context is snd_soc_component_to_dapm(), from kcontrol we will receive NULL pointer.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A NULL pointer dereference in the Linux kernel's rt1011 audio codec driver occurs when spk_mode_put uses the wrong DAPM context helper.
Vulnerability
Overview
In the Linux kernel's ASoC subsystem, the rt1011 audio codec driver contains a NULL pointer dereference vulnerability in the rt1011_recv_spk_mode_put() function. The function incorrectly uses snd_soc_kcontrol_component() to retrieve the DAPM context, which returns NULL for this kcontrol, leading to a crash when the speaker mode control is accessed [1].
Root
Cause and Exploitation
The root cause is a programming error where the developer used the wrong helper function to obtain the DAPM context. The correct helper is snd_soc_component_to_dapm(), which properly derives the DAPM context from the component associated with the kcontrol. The vulnerability can be triggered by any user or process that can write to the speaker mode control (e.g., via ALSA mixer or PulseAudio), potentially causing a denial of service [1].
Impact
An attacker with local access to the audio subsystem can trigger a NULL pointer dereference, leading to a kernel panic or system crash. This results in a denial of service (DoS) condition. No privilege escalation or data leakage is reported [1].
Mitigation
The fix is included in the Linux kernel stable tree as commit 30e4b2290cc2a8d1b9ddb9dcb9c981df1f2a7399. Users should apply the latest kernel updates from their distribution to remediate this vulnerability [1].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
2b10b2b15b45930e4b2290cc2Vulnerability mechanics
Root cause
"The function rt1011_recv_spk_mode_put() uses snd_soc_kcontrol_component() to retrieve the DAPM context, which returns NULL for this type of kcontrol, instead of using snd_soc_component_to_dapm()."
Attack vector
An attacker who can control or trigger a kcontrol put operation on the RT1011 codec will cause a NULL pointer dereference. The bug is reached when the kernel calls rt1011_recv_spk_mode_put() via the ALSA control interface, because the helper snd_soc_kcontrol_component() returns NULL for this particular kcontrol type. No special privileges beyond access to the codec's ALSA controls are required.
Affected code
The vulnerable function is rt1011_recv_spk_mode_put() in the RT1011 ASoC codec driver. The function incorrectly calls snd_soc_kcontrol_component(kcontrol) to retrieve the DAPM context, which returns NULL for this kcontrol type, leading to a NULL pointer dereference.
What the fix does
The patch [patch_id=424577] replaces snd_soc_kcontrol_component(kcontrol) with snd_soc_component_to_dapm(component) in rt1011_recv_spk_mode_put(). The component pointer is already available as a function parameter. The old helper returned NULL for this kcontrol type, causing a NULL pointer dereference when the DAPM context was subsequently accessed. The fix ensures the correct DAPM context is retrieved from the component structure.
Preconditions
- inputAttacker must be able to trigger a kcontrol put operation on the RT1011 codec's ALSA controls.
- authAccess to the ALSA control interface for the RT1011 codec is required.
Generated on May 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.