CVE-2025-38299 in Linuxinfo

Summary

by MITRE • 07/10/2025

In the Linux kernel, the following vulnerability has been resolved:

ASoC: mediatek: mt8195: Set ETDM1/2 IN/OUT to COMP_DUMMY()

ETDM2_IN_BE and ETDM1_OUT_BE are defined as COMP_EMPTY(), in the case the codec dai_name will be null.

Avoid a crash if the device tree is not assigning a codec to these links.

[ 1.179936] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
[ 1.181065] Mem abort info:
[ 1.181420] ESR = 0x0000000096000004
[ 1.181892] EC = 0x25: DABT (current EL), IL = 32 bits
[ 1.182576] SET = 0, FnV = 0
[ 1.182964] EA = 0, S1PTW = 0
[ 1.183367] FSC = 0x04: level 0 translation fault
[ 1.183983] Data abort info:
[ 1.184406] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
[ 1.185097] CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[ 1.185766] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[ 1.186439] [0000000000000000] user address but active_mm is swapper
[ 1.187239] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
[ 1.188029] Modules linked in:
[ 1.188420] CPU: 7 UID: 0 PID: 70 Comm: kworker/u32:1 Not tainted 6.14.0-rc4-next-20250226+ #85
[ 1.189515] Hardware name: Radxa NIO 12L (DT)
[ 1.190065] Workqueue: events_unbound deferred_probe_work_func
[ 1.190808] pstate: 40400009 (nZcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 1.191683] pc : __pi_strcmp+0x24/0x140
[ 1.192170] lr : mt8195_mt6359_soc_card_probe+0x224/0x7b0
[ 1.192854] sp : ffff800083473970
[ 1.193271] x29: ffff800083473a10 x28: 0000000000001008 x27: 0000000000000002
[ 1.194168] x26: ffff800082408960 x25: ffff800082417db0 x24: ffff800082417d88
[ 1.195065] x23: 000000000000001e x22: ffff800082dbf480 x21: ffff800082dc07b8
[ 1.195961] x20: 0000000000000000 x19: 0000000000000013 x18: 00000000ffffffff
[ 1.196858] x17: 000000040044ffff x16: 005000f2b5503510 x15: 0000000000000006
[ 1.197755] x14: ffff800082407af0 x13: 6e6f69737265766e x12: 692d6b636f6c6374
[ 1.198651] x11: 0000000000000002 x10: ffff80008240b920 x9 : 0000000000000018
[ 1.199547] x8 : 0101010101010101 x7 : 0000000000000000 x6 : 0000000000000000
[ 1.200443] x5 : 0000000000000000 x4 : 8080808080000000 x3 : 303933383978616d
[ 1.201339] x2 : 0000000000000000 x1 : ffff80008240b920 x0 : 0000000000000000
[ 1.202236] Call trace:
[ 1.202545] __pi_strcmp+0x24/0x140 (P)
[ 1.203029] mtk_soundcard_common_probe+0x3bc/0x5b8
[ 1.203644] platform_probe+0x70/0xe8
[ 1.204106] really_probe+0xc8/0x3a0
[ 1.204556] __driver_probe_device+0x84/0x160
[ 1.205104] driver_probe_device+0x44/0x130
[ 1.205630] __device_attach_driver+0xc4/0x170
[ 1.206189] bus_for_each_drv+0x8c/0xf8
[ 1.206672] __device_attach+0xa8/0x1c8
[ 1.207155] device_initial_probe+0x1c/0x30
[ 1.207681] bus_probe_device+0xb0/0xc0
[ 1.208165] deferred_probe_work_func+0xa4/0x100
[ 1.208747] process_one_work+0x158/0x3e0
[ 1.209254] worker_thread+0x2c4/0x3e8
[ 1.209727] kthread+0x134/0x1f0
[ 1.210136] ret_from_fork+0x10/0x20
[ 1.210589] Code: 54000401 b50002c6 d503201f f86a6803 (f8408402)
[ 1.211355] ---[ end trace 0000000000000000 ]---

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 12/07/2025

The vulnerability CVE-2025-38299 resides within the Linux kernel's sound subsystem, specifically affecting the Mediatek mt8195 audio driver implementation. This issue manifests as a NULL pointer dereference when the device tree configuration fails to assign a codec to certain audio links, particularly ETDM2_IN_BE and ETDM1_OUT_BE. These links are defined as COMP_EMPTY() in the codebase, which creates a scenario where the dai_name field becomes NULL. When the system attempts to process these links during audio card probing, it triggers an immediate kernel crash due to the dereference of a null pointer at virtual address zero, as evidenced by the kernel oops trace. The crash occurs during the platform probe phase, specifically within the mtk_soundcard_common_probe function, where the system attempts to perform string comparison operations on a NULL dai_name field, leading to an unrecoverable kernel panic. This vulnerability directly maps to CWE-476, which represents a NULL pointer dereference, and aligns with ATT&CK technique T1490, indicating a potential system crash or denial of service condition.

The technical flaw stems from inadequate null pointer validation in the audio subsystem's device tree parsing logic. When the device tree does not explicitly assign a codec to ETDM1/2 input/output links, the system fails to properly handle the resulting NULL dai_name field. The kernel attempts to execute string operations on this NULL value, causing an immediate page fault and subsequent system crash. The error trace shows the execution path leading from the platform probe mechanism through the mtk_soundcard_common_probe function, where the __pi_strcmp function fails due to the null pointer dereference. This represents a classic buffer overflow scenario where the kernel assumes the presence of valid data structures without proper validation. The crash occurs in a kernel worker thread during deferred probe processing, indicating that the issue affects the system's ability to initialize audio hardware properly during boot or hot-plug events.

The operational impact of this vulnerability is significant for embedded systems utilizing the mt8195 SoC, particularly those running Linux kernel versions that include the affected audio driver code. Systems that rely on device tree configurations without explicit codec assignments for ETDM links will experience immediate kernel panics and system crashes, resulting in complete denial of service for audio functionality. This affects devices such as embedded computers, single-board computers, and mobile platforms that use the Mediatek mt8195 chipset for audio processing. The vulnerability can be exploited remotely through device tree manipulation or during system boot, potentially causing system instability and requiring manual intervention or hardware reset. The crash occurs at kernel level, meaning that any audio-related functionality becomes completely unavailable until the system is rebooted, and in some cases, the system may fail to boot properly.

Mitigation strategies for this vulnerability involve implementing proper null pointer checks in the audio subsystem driver code, specifically ensuring that dai_name fields are validated before string operations are performed. The fix should modify the mt8195 audio driver to explicitly check for NULL values in the dai_name field and handle such cases gracefully by setting appropriate default values or skipping problematic link configurations. System administrators should ensure that device tree configurations properly assign codecs to audio links or implement default codec assignments to prevent the NULL pointer scenario. Kernel updates containing the patched driver code should be applied immediately, as this vulnerability affects the core audio subsystem and can lead to complete system instability. Additionally, monitoring systems should be configured to detect kernel oops messages and system crashes related to audio initialization, providing early warning of potential exploitation attempts. The fix aligns with security best practices for kernel development and follows the principle of defensive programming to prevent unexpected null pointer dereferences in critical system components.

Responsible

Linux

Reservation

04/16/2025

Disclosure

07/10/2025

Moderation

accepted

CPE

ready

EPSS

0.00143

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!