CVE-2025-38662 in Linux
Summary
by MITRE • 08/22/2025
In the Linux kernel, the following vulnerability has been resolved:
ASoC: mediatek: mt8365-dai-i2s: pass correct size to mt8365_dai_set_priv
Given mt8365_dai_set_priv allocate priv_size space to copy priv_data which means we should pass mt8365_i2s_priv[i] or "struct mtk_afe_i2s_priv"
instead of afe_priv which has the size of "struct mt8365_afe_private".
Otherwise the KASAN complains about.
[ 59.389765] BUG: KASAN: global-out-of-bounds in mt8365_dai_set_priv+0xc8/0x168 [snd_soc_mt8365_pcm]
... [ 59.394789] Call trace:
[ 59.395167] dump_backtrace+0xa0/0x128
[ 59.395733] show_stack+0x20/0x38
[ 59.396238] dump_stack_lvl+0xe8/0x148
[ 59.396806] print_report+0x37c/0x5e0
[ 59.397358] kasan_report+0xac/0xf8
[ 59.397885] kasan_check_range+0xe8/0x190
[ 59.398485] asan_memcpy+0x3c/0x98
[ 59.399022] mt8365_dai_set_priv+0xc8/0x168 [snd_soc_mt8365_pcm]
[ 59.399928] mt8365_dai_i2s_register+0x1e8/0x2b0 [snd_soc_mt8365_pcm]
[ 59.400893] mt8365_afe_pcm_dev_probe+0x4d0/0xdf0 [snd_soc_mt8365_pcm]
[ 59.401873] platform_probe+0xcc/0x228
[ 59.402442] really_probe+0x340/0x9e8
[ 59.402992] driver_probe_device+0x16c/0x3f8
[ 59.403638] driver_probe_device+0x64/0x1d8
[ 59.404256] driver_attach+0x1dc/0x4c8
[ 59.404840] bus_for_each_dev+0x100/0x190
[ 59.405442] driver_attach+0x44/0x68
[ 59.405980] bus_add_driver+0x23c/0x500
[ 59.406550] driver_register+0xf8/0x3d0
[ 59.407122] platform_driver_register+0x68/0x98
[ 59.407810] mt8365_afe_pcm_driver_init+0x2c/0xff8 [snd_soc_mt8365_pcm]
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 05/29/2026
The vulnerability identified as CVE-2025-38662 resides within the Linux kernel's sound subsystem, specifically affecting the Mediatek mt8365 audio driver implementation. This issue manifests as a memory corruption problem that occurs during the initialization of the audio device interface. The root cause stems from an incorrect parameter being passed to the mt8365_dai_set_priv function, which is responsible for setting up private data structures for the audio digital interface. The function expects a specific data size to properly allocate memory for private data, but receives an incorrect parameter that leads to memory boundary violations.
The technical flaw involves a mismatch between data structure sizes and the memory allocation parameters. The mt8365_dai_set_priv function is designed to allocate memory space based on the size of struct mtk_afe_i2s_priv, which represents the correct private data structure for the I2S interface. However, the calling code incorrectly passes a pointer to struct mt8365_afe_private, which is a different data structure with a different memory footprint. This discrepancy causes the kernel's KASAN (Kernel Address Sanitizer) to detect a global out-of-bounds memory access, triggering a kernel panic and system instability.
The operational impact of this vulnerability extends beyond simple system crashes, as it represents a potential security risk that could be exploited to gain unauthorized access to kernel memory spaces. When KASAN detects the out-of-bounds access, it generates a detailed call trace that shows the execution path leading to the error, starting from the platform driver probe mechanism through the audio device initialization chain. The error occurs during the early boot phase when the audio subsystem is being initialized, potentially preventing proper system boot or causing system instability during audio operations. This vulnerability directly violates the principles of memory safety and can be categorized under CWE-121, which deals with stack-based buffer overflow conditions.
Mitigation strategies for this vulnerability involve correcting the parameter passing within the audio driver initialization code to ensure that the correct data structure size is provided to the mt8365_dai_set_priv function. System administrators should ensure that all Linux kernel updates are applied promptly, particularly those containing fixes for the sound subsystem. The fix requires that the code path passing parameters to mt8365_dai_set_priv be modified to use the appropriate struct mtk_afe_i2s_priv pointer instead of the incorrect mt8365_afe_private pointer. Additionally, this vulnerability may be relevant to ATT&CK technique T1068, which covers the exploitation of legitimate credentials and system access for privilege escalation, as memory corruption vulnerabilities often provide a pathway for attackers to execute arbitrary code within kernel space. The vulnerability underscores the importance of proper memory management and parameter validation in kernel modules, particularly those dealing with hardware interfaces and device drivers that must maintain strict memory boundaries to prevent system compromise.