CVE-2026-46179
Description
In the Linux kernel, the following vulnerability has been resolved:
ASoC: SOF: Don't allow pointer operations on unconfigured streams
When reporting the pointer for a compressed stream we report the current I/O frame position by dividing the position by the number of channels multiplied by the number of container bytes. These values default to 0 and are only configured as part of setting the stream parameters so this allows a divide by zero to be configured. Validate that they are non zero, returning an error if not
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A divide-by-zero bug in the Linux kernel's ASoC SOF driver allows denial of service when pointer operations are performed on unconfigured compressed audio streams.
Vulnerability
A divide-by-zero vulnerability exists in the Linux kernel's ASoC: SOF subsystem when reporting the pointer for a compressed stream [1]. The driver calculates the current I/O frame position by dividing by the product of the number of channels and the number of container bytes, both of which default to 0 and are only configured when stream parameters are set [1]. If a pointer operation is invoked before stream configuration, a division by zero occurs, leading to a crash or undefined behavior. The affected versions are those containing the vulnerable snd_sof_pointer() or related code paths before this fix was applied [1].
Exploitation
An attacker would require the ability to trigger a compressed stream pointer operation on an unconfigured stream. This can be achieved if the attacker has local access to the system and can open a compressed audio stream via the ALSA interface (e.g., via a userspace application) and then call a pointer retrieval ioctl (e.g., SNDRV_PCM_IOCTL_POINTER or equivalent compressed stream operation) without first setting stream parameters [1]. No special hardware is needed; any system with the SOF driver loaded is potentially vulnerable. The attack sequence is: (1) open a compressed PCM device, (2) do not set stream parameters, (3) perform a pointer operation, (4) the kernel divides by zero and crashes [1].
Impact
Successful exploitation results in a division by zero, which typically causes an oops, kernel panic, or system crash, leading to a denial of service (DoS) [1]. The privilege level required to initiate the attack is local (unprivileged user or process), and the impact is primarily availability (the system becomes unstable or unusable). There is no evidence of data confidentiality or integrity compromise beyond system instability.
Mitigation
The fix was committed to the Linux kernel stable tree with commit ID c5b6285aae050ff1c3ea824ca3d88ac4be1e69c8, which adds a check for zero values before performing the division [1]. Users should apply this patch or upgrade to a kernel version that includes it. As of the publication date (2026-05-28), the fix is available in the stable branch [1]. No workaround is provided other than avoiding pointer operations on unconfigured compressed streams, which is not practical for general use. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing.
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
100f0c0c1397a4ASoC: SOF: Don't allow pointer operations on unconfigured streams
2 files changed · +6 −2
sound/soc/sof/compress.c+3 −1 modifieddiff --git a/sound/soc/sof/compress.c b/sound/soc/sof/compress.c index 90b932ae3bab2c..593b8c74748469 100644 --- a/sound/soc/sof/compress.c +++ b/sound/soc/sof/compress.c @@ -371,6 +371,9 @@ static int sof_compr_pointer(struct snd_soc_component *component, if (!spcm) return -EINVAL; + if (!sstream->channels || !sstream->sample_container_bytes) + return -EBUSY; + tstamp->sampling_rate = sstream->sampling_rate; tstamp->copied_total = sstream->copied_total; tstamp->pcm_io_frames = div_u64(spcm->stream[cstream->direction].posn.dai_posn, -- cgit 1.3-korg
sound/soc/sof/compress.c+3 −1 modifieddiff --git a/sound/soc/sof/compress.c b/sound/soc/sof/compress.c index 90b932ae3bab2c..593b8c74748469 100644 --- a/sound/soc/sof/compress.c +++ b/sound/soc/sof/compress.c @@ -371,6 +371,9 @@ static int sof_compr_pointer(struct snd_soc_component *component, if (!spcm) return -EINVAL; + if (!sstream->channels || !sstream->sample_container_bytes) + return -EBUSY; + tstamp->sampling_rate = sstream->sampling_rate; tstamp->copied_total = sstream->copied_total; tstamp->pcm_io_frames = div_u64(spcm->stream[cstream->direction].posn.dai_posn, -- cgit 1.3-korg
c5b6285aae05ASoC: SOF: Don't allow pointer operations on unconfigured streams
2 files changed · +6 −2
sound/soc/sof/compress.c+3 −1 modifieddiff --git a/sound/soc/sof/compress.c b/sound/soc/sof/compress.c index f4c3e10e6344d4..93f2376585dbf5 100644 --- a/sound/soc/sof/compress.c +++ b/sound/soc/sof/compress.c @@ -381,6 +381,9 @@ static int sof_compr_pointer(struct snd_soc_component *component, if (!spcm) return -EINVAL; + if (!sstream->channels || !sstream->sample_container_bytes) + return -EBUSY; + tstamp->sampling_rate = sstream->sampling_rate; tstamp->copied_total = sstream->copied_total; tstamp->pcm_io_frames = div_u64(spcm->stream[cstream->direction].posn.dai_posn, -- cgit 1.3-korg
sound/soc/sof/compress.c+3 −1 modifieddiff --git a/sound/soc/sof/compress.c b/sound/soc/sof/compress.c index f4c3e10e6344d4..93f2376585dbf5 100644 --- a/sound/soc/sof/compress.c +++ b/sound/soc/sof/compress.c @@ -381,6 +381,9 @@ static int sof_compr_pointer(struct snd_soc_component *component, if (!spcm) return -EINVAL; + if (!sstream->channels || !sstream->sample_container_bytes) + return -EBUSY; + tstamp->sampling_rate = sstream->sampling_rate; tstamp->copied_total = sstream->copied_total; tstamp->pcm_io_frames = div_u64(spcm->stream[cstream->direction].posn.dai_posn, -- cgit 1.3-korg
327a64241f30ASoC: SOF: Don't allow pointer operations on unconfigured streams
2 files changed · +6 −2
sound/soc/sof/compress.c+3 −1 modifieddiff --git a/sound/soc/sof/compress.c b/sound/soc/sof/compress.c index d7b044f33d7963..c469bb706e4a49 100644 --- a/sound/soc/sof/compress.c +++ b/sound/soc/sof/compress.c @@ -371,6 +371,9 @@ static int sof_compr_pointer(struct snd_soc_component *component, if (!spcm) return -EINVAL; + if (!sstream->channels || !sstream->sample_container_bytes) + return -EBUSY; + tstamp->sampling_rate = sstream->sampling_rate; tstamp->copied_total = sstream->copied_total; tstamp->pcm_io_frames = div_u64(spcm->stream[cstream->direction].posn.dai_posn, -- cgit 1.3-korg
sound/soc/sof/compress.c+3 −1 modifieddiff --git a/sound/soc/sof/compress.c b/sound/soc/sof/compress.c index d7b044f33d7963..c469bb706e4a49 100644 --- a/sound/soc/sof/compress.c +++ b/sound/soc/sof/compress.c @@ -371,6 +371,9 @@ static int sof_compr_pointer(struct snd_soc_component *component, if (!spcm) return -EINVAL; + if (!sstream->channels || !sstream->sample_container_bytes) + return -EBUSY; + tstamp->sampling_rate = sstream->sampling_rate; tstamp->copied_total = sstream->copied_total; tstamp->pcm_io_frames = div_u64(spcm->stream[cstream->direction].posn.dai_posn, -- cgit 1.3-korg
98ed1383f597ASoC: SOF: Don't allow pointer operations on unconfigured streams
2 files changed · +6 −2
sound/soc/sof/compress.c+3 −1 modifieddiff --git a/sound/soc/sof/compress.c b/sound/soc/sof/compress.c index d7b044f33d7963..c469bb706e4a49 100644 --- a/sound/soc/sof/compress.c +++ b/sound/soc/sof/compress.c @@ -371,6 +371,9 @@ static int sof_compr_pointer(struct snd_soc_component *component, if (!spcm) return -EINVAL; + if (!sstream->channels || !sstream->sample_container_bytes) + return -EBUSY; + tstamp->sampling_rate = sstream->sampling_rate; tstamp->copied_total = sstream->copied_total; tstamp->pcm_io_frames = div_u64(spcm->stream[cstream->direction].posn.dai_posn, -- cgit 1.3-korg
sound/soc/sof/compress.c+3 −1 modifieddiff --git a/sound/soc/sof/compress.c b/sound/soc/sof/compress.c index d7b044f33d7963..c469bb706e4a49 100644 --- a/sound/soc/sof/compress.c +++ b/sound/soc/sof/compress.c @@ -371,6 +371,9 @@ static int sof_compr_pointer(struct snd_soc_component *component, if (!spcm) return -EINVAL; + if (!sstream->channels || !sstream->sample_container_bytes) + return -EBUSY; + tstamp->sampling_rate = sstream->sampling_rate; tstamp->copied_total = sstream->copied_total; tstamp->pcm_io_frames = div_u64(spcm->stream[cstream->direction].posn.dai_posn, -- cgit 1.3-korg
4f42dd01f521ASoC: SOF: Don't allow pointer operations on unconfigured streams
2 files changed · +6 −2
sound/soc/sof/compress.c+3 −1 modifieddiff --git a/sound/soc/sof/compress.c b/sound/soc/sof/compress.c index 96570121aae01b..90f056eae1c33a 100644 --- a/sound/soc/sof/compress.c +++ b/sound/soc/sof/compress.c @@ -379,6 +379,9 @@ static int sof_compr_pointer(struct snd_soc_component *component, if (!spcm) return -EINVAL; + if (!sstream->channels || !sstream->sample_container_bytes) + return -EBUSY; + tstamp->sampling_rate = sstream->sampling_rate; tstamp->copied_total = sstream->copied_total; tstamp->pcm_io_frames = div_u64(spcm->stream[cstream->direction].posn.dai_posn, -- cgit 1.3-korg
sound/soc/sof/compress.c+3 −1 modifieddiff --git a/sound/soc/sof/compress.c b/sound/soc/sof/compress.c index 96570121aae01b..90f056eae1c33a 100644 --- a/sound/soc/sof/compress.c +++ b/sound/soc/sof/compress.c @@ -379,6 +379,9 @@ static int sof_compr_pointer(struct snd_soc_component *component, if (!spcm) return -EINVAL; + if (!sstream->channels || !sstream->sample_container_bytes) + return -EBUSY; + tstamp->sampling_rate = sstream->sampling_rate; tstamp->copied_total = sstream->copied_total; tstamp->pcm_io_frames = div_u64(spcm->stream[cstream->direction].posn.dai_posn, -- cgit 1.3-korg
327a64241f30ASoC: SOF: Don't allow pointer operations on unconfigured streams
2 files changed · +6 −2
sound/soc/sof/compress.c+3 −1 modifieddiff --git a/sound/soc/sof/compress.c b/sound/soc/sof/compress.c index d7b044f33d7963..c469bb706e4a49 100644 --- a/sound/soc/sof/compress.c +++ b/sound/soc/sof/compress.c @@ -371,6 +371,9 @@ static int sof_compr_pointer(struct snd_soc_component *component, if (!spcm) return -EINVAL; + if (!sstream->channels || !sstream->sample_container_bytes) + return -EBUSY; + tstamp->sampling_rate = sstream->sampling_rate; tstamp->copied_total = sstream->copied_total; tstamp->pcm_io_frames = div_u64(spcm->stream[cstream->direction].posn.dai_posn, -- cgit 1.3-korg
sound/soc/sof/compress.c+3 −1 modifieddiff --git a/sound/soc/sof/compress.c b/sound/soc/sof/compress.c index d7b044f33d7963..c469bb706e4a49 100644 --- a/sound/soc/sof/compress.c +++ b/sound/soc/sof/compress.c @@ -371,6 +371,9 @@ static int sof_compr_pointer(struct snd_soc_component *component, if (!spcm) return -EINVAL; + if (!sstream->channels || !sstream->sample_container_bytes) + return -EBUSY; + tstamp->sampling_rate = sstream->sampling_rate; tstamp->copied_total = sstream->copied_total; tstamp->pcm_io_frames = div_u64(spcm->stream[cstream->direction].posn.dai_posn, -- cgit 1.3-korg
98ed1383f597ASoC: SOF: Don't allow pointer operations on unconfigured streams
2 files changed · +6 −2
sound/soc/sof/compress.c+3 −1 modifieddiff --git a/sound/soc/sof/compress.c b/sound/soc/sof/compress.c index d7b044f33d7963..c469bb706e4a49 100644 --- a/sound/soc/sof/compress.c +++ b/sound/soc/sof/compress.c @@ -371,6 +371,9 @@ static int sof_compr_pointer(struct snd_soc_component *component, if (!spcm) return -EINVAL; + if (!sstream->channels || !sstream->sample_container_bytes) + return -EBUSY; + tstamp->sampling_rate = sstream->sampling_rate; tstamp->copied_total = sstream->copied_total; tstamp->pcm_io_frames = div_u64(spcm->stream[cstream->direction].posn.dai_posn, -- cgit 1.3-korg
sound/soc/sof/compress.c+3 −1 modifieddiff --git a/sound/soc/sof/compress.c b/sound/soc/sof/compress.c index d7b044f33d7963..c469bb706e4a49 100644 --- a/sound/soc/sof/compress.c +++ b/sound/soc/sof/compress.c @@ -371,6 +371,9 @@ static int sof_compr_pointer(struct snd_soc_component *component, if (!spcm) return -EINVAL; + if (!sstream->channels || !sstream->sample_container_bytes) + return -EBUSY; + tstamp->sampling_rate = sstream->sampling_rate; tstamp->copied_total = sstream->copied_total; tstamp->pcm_io_frames = div_u64(spcm->stream[cstream->direction].posn.dai_posn, -- cgit 1.3-korg
0f0c0c1397a4ASoC: SOF: Don't allow pointer operations on unconfigured streams
2 files changed · +6 −2
sound/soc/sof/compress.c+3 −1 modifieddiff --git a/sound/soc/sof/compress.c b/sound/soc/sof/compress.c index 90b932ae3bab2c..593b8c74748469 100644 --- a/sound/soc/sof/compress.c +++ b/sound/soc/sof/compress.c @@ -371,6 +371,9 @@ static int sof_compr_pointer(struct snd_soc_component *component, if (!spcm) return -EINVAL; + if (!sstream->channels || !sstream->sample_container_bytes) + return -EBUSY; + tstamp->sampling_rate = sstream->sampling_rate; tstamp->copied_total = sstream->copied_total; tstamp->pcm_io_frames = div_u64(spcm->stream[cstream->direction].posn.dai_posn, -- cgit 1.3-korg
sound/soc/sof/compress.c+3 −1 modifieddiff --git a/sound/soc/sof/compress.c b/sound/soc/sof/compress.c index 90b932ae3bab2c..593b8c74748469 100644 --- a/sound/soc/sof/compress.c +++ b/sound/soc/sof/compress.c @@ -371,6 +371,9 @@ static int sof_compr_pointer(struct snd_soc_component *component, if (!spcm) return -EINVAL; + if (!sstream->channels || !sstream->sample_container_bytes) + return -EBUSY; + tstamp->sampling_rate = sstream->sampling_rate; tstamp->copied_total = sstream->copied_total; tstamp->pcm_io_frames = div_u64(spcm->stream[cstream->direction].posn.dai_posn, -- cgit 1.3-korg
c5b6285aae05ASoC: SOF: Don't allow pointer operations on unconfigured streams
2 files changed · +6 −2
sound/soc/sof/compress.c+3 −1 modifieddiff --git a/sound/soc/sof/compress.c b/sound/soc/sof/compress.c index f4c3e10e6344d4..93f2376585dbf5 100644 --- a/sound/soc/sof/compress.c +++ b/sound/soc/sof/compress.c @@ -381,6 +381,9 @@ static int sof_compr_pointer(struct snd_soc_component *component, if (!spcm) return -EINVAL; + if (!sstream->channels || !sstream->sample_container_bytes) + return -EBUSY; + tstamp->sampling_rate = sstream->sampling_rate; tstamp->copied_total = sstream->copied_total; tstamp->pcm_io_frames = div_u64(spcm->stream[cstream->direction].posn.dai_posn, -- cgit 1.3-korg
sound/soc/sof/compress.c+3 −1 modifieddiff --git a/sound/soc/sof/compress.c b/sound/soc/sof/compress.c index f4c3e10e6344d4..93f2376585dbf5 100644 --- a/sound/soc/sof/compress.c +++ b/sound/soc/sof/compress.c @@ -381,6 +381,9 @@ static int sof_compr_pointer(struct snd_soc_component *component, if (!spcm) return -EINVAL; + if (!sstream->channels || !sstream->sample_container_bytes) + return -EBUSY; + tstamp->sampling_rate = sstream->sampling_rate; tstamp->copied_total = sstream->copied_total; tstamp->pcm_io_frames = div_u64(spcm->stream[cstream->direction].posn.dai_posn, -- cgit 1.3-korg
4f42dd01f521ASoC: SOF: Don't allow pointer operations on unconfigured streams
2 files changed · +6 −2
sound/soc/sof/compress.c+3 −1 modifieddiff --git a/sound/soc/sof/compress.c b/sound/soc/sof/compress.c index 96570121aae01b..90f056eae1c33a 100644 --- a/sound/soc/sof/compress.c +++ b/sound/soc/sof/compress.c @@ -379,6 +379,9 @@ static int sof_compr_pointer(struct snd_soc_component *component, if (!spcm) return -EINVAL; + if (!sstream->channels || !sstream->sample_container_bytes) + return -EBUSY; + tstamp->sampling_rate = sstream->sampling_rate; tstamp->copied_total = sstream->copied_total; tstamp->pcm_io_frames = div_u64(spcm->stream[cstream->direction].posn.dai_posn, -- cgit 1.3-korg
sound/soc/sof/compress.c+3 −1 modifieddiff --git a/sound/soc/sof/compress.c b/sound/soc/sof/compress.c index 96570121aae01b..90f056eae1c33a 100644 --- a/sound/soc/sof/compress.c +++ b/sound/soc/sof/compress.c @@ -379,6 +379,9 @@ static int sof_compr_pointer(struct snd_soc_component *component, if (!spcm) return -EINVAL; + if (!sstream->channels || !sstream->sample_container_bytes) + return -EBUSY; + tstamp->sampling_rate = sstream->sampling_rate; tstamp->copied_total = sstream->copied_total; tstamp->pcm_io_frames = div_u64(spcm->stream[cstream->direction].posn.dai_posn, -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"Missing validation that stream parameters (channels and sample_container_bytes) are non-zero before using them as a divisor in sof_compr_pointer()."
Attack vector
An attacker who can invoke the compressed stream pointer operation (e.g. via ALSA `SNDRV_COMPRESS_IOCTL_AVAIL` or similar ioctl) on a stream whose parameters have not yet been set triggers a divide-by-zero in `sof_compr_pointer()` [patch_id=2898005]. The fields `sstream->channels` and `sstream->sample_container_bytes` default to 0 and are only populated when stream parameters are configured, so calling the pointer operation before configuration causes a division by zero, likely crashing the kernel.
Affected code
The vulnerable function is `sof_compr_pointer()` in `sound/soc/sof/compress.c` [patch_id=2898005]. The function computes `pcm_io_frames` by dividing `dai_posn` by `sstream->channels * sstream->sample_container_bytes` without first validating that those fields are non-zero.
What the fix does
The patch adds a guard at the top of `sof_compr_pointer()` that returns `-EBUSY` if either `sstream->channels` or `sstream->sample_container_bytes` is zero [patch_id=2898005]. This prevents the subsequent `div_u64()` call from dividing by zero when the stream has not yet been configured. The check is placed immediately after the existing `spcm` null check, before any timestamp fields are computed.
Preconditions
- inputThe attacker must be able to invoke the compressed stream pointer operation (e.g. via ALSA compressed IOCTL) on a stream before its parameters have been set.
- configThe system must have the SOF (Sound Open Firmware) compressed audio support enabled and a compressed stream opened.
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- git.kernel.org/stable/c/0f0c0c1397a42aacaacae828206ee1b921623952nvd
- git.kernel.org/stable/c/327a64241f30c74b6f35537eb9e1fc6c3cbe060bnvd
- git.kernel.org/stable/c/4f42dd01f5217465f23a763e27b3984e114d0972nvd
- git.kernel.org/stable/c/98ed1383f597f8a45b6cb816bb20b96d46eecedanvd
- git.kernel.org/stable/c/c5b6285aae050ff1c3ea824ca3d88ac4be1e69c8nvd
News mentions
0No linked articles in our index yet.