| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025120717-CVE-2025-40275-021a@gregkh> Date: Sun, 7 Dec 2025 06:52:22 +0900 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-40275: ALSA: usb-audio: Fix NULL pointer dereference in snd_usb_mixer_controls_badd From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix NULL pointer dereference in snd_usb_mixer_controls_badd In snd_usb_create_streams(), for UAC version 3 devices, the Interface Association Descriptor (IAD) is retrieved via usb_ifnum_to_if(). If this call fails, a fallback routine attempts to obtain the IAD from the next interface and sets a BADD profile. However, snd_usb_mixer_controls_badd() assumes that the IAD retrieved from usb_ifnum_to_if() is always valid, without performing a NULL check. This can lead to a NULL pointer dereference when usb_ifnum_to_if() fails to find the interface descriptor. This patch adds a NULL pointer check after calling usb_ifnum_to_if() in snd_usb_mixer_controls_badd() to prevent the dereference. This issue was discovered by syzkaller, which triggered the bug by sending a crafted USB device descriptor. The Linux kernel CVE team has assigned CVE-2025-40275 to this issue. Affected and fixed versions =========================== Issue introduced in 4.18 with commit 17156f23e93c0f59e06dd2aaffd06221341caaee and fixed in 5.4.302 with commit 23aea9c74aeea2625aaf4fbcc6beb9d09e30f9e4 Issue introduced in 4.18 with commit 17156f23e93c0f59e06dd2aaffd06221341caaee and fixed in 5.10.247 with commit c5c08965ab96b16361e69a1e2a0e89dbcb99b5a6 Issue introduced in 4.18 with commit 17156f23e93c0f59e06dd2aaffd06221341caaee and fixed in 5.15.197 with commit 9f282104627be5fbded3102ff9004f753c55a063 Issue introduced in 4.18 with commit 17156f23e93c0f59e06dd2aaffd06221341caaee and fixed in 6.1.159 with commit 2762d3ea9c929ca4094541ca517c317ffa94625b Issue introduced in 4.18 with commit 17156f23e93c0f59e06dd2aaffd06221341caaee and fixed in 6.6.117 with commit 57f607c112966c21240c424b33e2cb71e121dcf0 Issue introduced in 4.18 with commit 17156f23e93c0f59e06dd2aaffd06221341caaee and fixed in 6.12.59 with commit cbdbfc756f2990942138ed0138da9303b4dbf9ff Issue introduced in 4.18 with commit 17156f23e93c0f59e06dd2aaffd06221341caaee and fixed in 6.17.9 with commit 85568535893600024d7d8794f4f8b6428b521e0c Issue introduced in 4.18 with commit 17156f23e93c0f59e06dd2aaffd06221341caaee and fixed in 6.18 with commit 632108ec072ad64c8c83db6e16a7efee29ebfb74 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-40275 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: sound/usb/mixer.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/23aea9c74aeea2625aaf4fbcc6beb9d09e30f9e4 https://git.kernel.org/stable/c/c5c08965ab96b16361e69a1e2a0e89dbcb99b5a6 https://git.kernel.org/stable/c/9f282104627be5fbded3102ff9004f753c55a063 https://git.kernel.org/stable/c/2762d3ea9c929ca4094541ca517c317ffa94625b https://git.kernel.org/stable/c/57f607c112966c21240c424b33e2cb71e121dcf0 https://git.kernel.org/stable/c/cbdbfc756f2990942138ed0138da9303b4dbf9ff https://git.kernel.org/stable/c/85568535893600024d7d8794f4f8b6428b521e0c https://git.kernel.org/stable/c/632108ec072ad64c8c83db6e16a7efee29ebfb74
Powered by blists - more mailing lists