CVE-2025-38486 in Linux
Summary
by MITRE • 07/28/2025
In the Linux kernel, the following vulnerability has been resolved:
soundwire: Revert "soundwire: qcom: Add set_channel_map api support"
This reverts commit 7796c97df6b1b2206681a07f3c80f6023a6593d5.
This patch broke Dragonboard 845c (sdm845). I see:
Unexpected kernel BRK exception at EL1 Internal error: BRK handler: 00000000f20003e8 [#1] SMP
pc : qcom_swrm_set_channel_map+0x7c/0x80 [soundwire_qcom]
lr : snd_soc_dai_set_channel_map+0x34/0x78 Call trace: qcom_swrm_set_channel_map+0x7c/0x80 [soundwire_qcom] (P)
sdm845_dai_init+0x18c/0x2e0 [snd_soc_sdm845]
snd_soc_link_init+0x28/0x6c snd_soc_bind_card+0x5f4/0xb0c snd_soc_register_card+0x148/0x1a4 devm_snd_soc_register_card+0x50/0xb0 sdm845_snd_platform_probe+0x124/0x148 [snd_soc_sdm845]
platform_probe+0x6c/0xd0 really_probe+0xc0/0x2a4 __driver_probe_device+0x7c/0x130 driver_probe_device+0x40/0x118 __device_attach_driver+0xc4/0x108 bus_for_each_drv+0x8c/0xf0 __device_attach+0xa4/0x198 device_initial_probe+0x18/0x28 bus_probe_device+0xb8/0xbc deferred_probe_work_func+0xac/0xfc process_one_work+0x244/0x658 worker_thread+0x1b4/0x360 kthread+0x148/0x228 ret_from_fork+0x10/0x20 Kernel panic - not syncing: BRK handler: Fatal exception
Dan has also reported following issues with the original patch https://lore.kernel.org/all/[email protected]/
Bug #1: The zeroeth element of ctrl->pconfig[] is supposed to be unused. We
start counting at 1. However this code sets ctrl->pconfig[0].ch_mask = 128.
Bug #2: There are SLIM_MAX_TX_PORTS (16) elements in tx_ch[] array but only
QCOM_SDW_MAX_PORTS + 1 (15) in the ctrl->pconfig[] array so it corrupts
memory like Yongqin Liu pointed out.
Bug 3: Like Jie Gan pointed out, it erases all the tx information with the rx information.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 01/25/2026
The vulnerability CVE-2025-38486 represents a critical regression in the Linux kernel's SoundWire subsystem affecting Qualcomm-based platforms, particularly the Dragonboard 845c. This issue stems from an erroneous commit that introduced channel mapping functionality in the qcom soundwire driver, which ultimately caused system crashes due to kernel exceptions. The problem manifests as an unexpected BRK exception at EL1 level, indicating a fatal error in the kernel's exception handling mechanism. The technical flaw occurs within the qcom_swrm_set_channel_map function where improper memory management leads to kernel panics during audio subsystem initialization. The vulnerability directly impacts the soundwire_qcom kernel module, which is responsible for managing audio interfaces on Qualcomm SoCs, and specifically affects the sdm845 platform through the snd_soc_sdm845 driver.
The root cause of this vulnerability involves multiple memory corruption issues that stem from improper array indexing and data structure handling within the SoundWire driver implementation. The primary technical flaw occurs when the code attempts to access ctrl->pconfig[0] which is supposed to be unused according to the SoundWire specification, yet the implementation incorrectly sets ctrl->pconfig[0].ch_mask = 128, violating the expected zero-based indexing convention where counting begins at 1. Additionally, the code exhibits buffer overflow conditions where the tx_ch[] array contains SLIM_MAX_TX_PORTS (16) elements but the ctrl->pconfig[] array only has QCOM_SDW_MAX_PORTS + 1 (15) elements, creating a memory corruption scenario where the 16th element overflows into adjacent memory regions. This memory corruption extends beyond simple buffer overflows to include data mixing issues where all transmit information gets overwritten with receive information, fundamentally corrupting the audio data flow. These issues align with CWE-121 and CWE-125 categories related to stack-based buffer overflow and heap-based buffer overflow respectively, and demonstrate patterns consistent with ATT&CK technique T1059.003 for kernel-level code injection and T1547.001 for privilege escalation through kernel exploitation.
The operational impact of this vulnerability is severe as it renders affected systems unstable during audio subsystem initialization, causing immediate kernel panics and system crashes on Qualcomm-based devices like the Dragonboard 845c. This affects not only the audio functionality but can potentially impact overall system stability and boot processes since the soundwire subsystem is integral to audio device management. The vulnerability specifically impacts devices running Linux kernels with the affected soundwire_qcom driver, making it particularly concerning for embedded audio systems and mobile platforms. The crash occurs during the snd_soc_register_card process, meaning that any application or service attempting to initialize audio hardware on these platforms will encounter immediate system failures. The memory corruption issues could potentially be exploited by malicious actors to achieve privilege escalation or denial of service attacks, making this vulnerability particularly dangerous in security-sensitive environments where system stability is paramount. Organizations deploying these platforms must urgently apply the reverted patch to prevent system instability and potential security exploitation vectors.
Mitigation strategies for CVE-2025-38486 require immediate implementation of the reverted commit that removes the problematic set_channel_map API support from the qcom soundwire driver. System administrators should ensure that all affected devices are updated with kernel versions containing this fix, particularly those running on Qualcomm sdm845 and similar platforms. The recommended approach involves verifying that the kernel version includes the reverted changes and confirming that no third-party modules are attempting to utilize the removed functionality. Organizations should also implement monitoring for kernel panic events related to the soundwire subsystem and establish procedures for rapid response to audio initialization failures. Additionally, the fix addresses the fundamental design issues in the array handling and memory management, ensuring that the ctrl->pconfig[] array properly aligns with the tx_ch[] array dimensions and maintains proper separation between transmit and receive channel information. The mitigation should include verification procedures to confirm that no other modules are attempting to access the deprecated channel mapping APIs, and system testing to validate that audio functionality operates correctly without the problematic implementation.