CVE-2024-58012 in Linux
Summary
by MITRE • 02/27/2025
In the Linux kernel, the following vulnerability has been resolved:
ASoC: SOF: Intel: hda-dai: Ensure DAI widget is valid during params
Each cpu DAI should associate with a widget. However, the topology might not create the right number of DAI widgets for aggregated amps. And it will cause NULL pointer deference. Check that the DAI widget associated with the CPU DAI is valid to prevent NULL pointer deference due to missing DAI widgets in topologies with aggregated amps.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 05/24/2026
The vulnerability CVE-2024-58012 affects the Linux kernel's sound subsystem, specifically within the SOF (Sound Open Firmware) framework used for Intel audio processing. This issue resides in the hda-dai component which handles High Definition Audio Digital-to-Analog converters and their associated widget management. The problem manifests when processing audio topologies that involve aggregated amplifiers, where the system fails to properly validate DAI widget associations during parameter configuration operations.
The technical flaw stems from insufficient validation of DAI widget references within the audio processing pipeline. When the kernel attempts to configure audio parameters for a CPU DAI, it expects each DAI to have a corresponding widget object for proper operation. However, in certain topology configurations involving aggregated amplifiers, the system may not create the appropriate number of DAI widgets, leading to a situation where the widget reference becomes NULL. This NULL pointer dereference occurs during the params operation, which is a critical function for setting up audio stream parameters and establishing proper communication between audio components.
The operational impact of this vulnerability extends beyond simple system crashes, as it represents a potential denial-of-service condition that could affect audio functionality in Linux systems. Attackers or system administrators could potentially trigger this condition through malformed audio topology configurations, causing the kernel to crash or become unresponsive during audio parameter setup operations. This vulnerability is particularly concerning in embedded systems or devices where audio processing is critical and system stability is paramount, as it could lead to complete system lockups or require manual intervention to restore audio functionality.
The root cause aligns with CWE-476 which describes NULL pointer dereference vulnerabilities, and the issue demonstrates characteristics consistent with ATT&CK technique T1490 - Inhibit System Recovery, as it can cause system instability through kernel-level memory access violations. The fix implemented addresses this by adding validation checks to ensure that each CPU DAI has a valid widget association before proceeding with parameter operations. This mitigation approach follows established security practices for preventing NULL pointer dereferences in kernel code and aligns with the principle of input validation that should be applied to all system interfaces. The solution specifically targets the audio topology processing path where aggregated amplifier configurations create scenarios where widget creation does not match DAI requirements, thus preventing the invalid memory access that would otherwise occur during audio parameter setup operations.