CVE-2025-38056

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-38056
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38056.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-38056
Downstream
Published
2025-06-18T09:33:36Z
Modified
2025-10-18T02:03:55.704126Z
Summary
ASoC: SOF: Intel: hda: Fix UAF when reloading module
Details

In the Linux kernel, the following vulnerability has been resolved:

ASoC: SOF: Intel: hda: Fix UAF when reloading module

hdagenericmachineselect() appends -idisp to the tplg filename by allocating a new string with devmkasprintf(), then stores the string right back into the global variable sndsocacpiintelhda_machines. When the module is unloaded, this memory is freed, resulting in a global variable pointing to freed memory. Reloading the module then triggers a use-after-free:

BUG: KFENCE: use-after-free read in string+0x48/0xe0

Use-after-free read at 0x00000000967e0109 (in kfence-#99): string+0x48/0xe0 vsnprintf+0x329/0x6e0 devmkvasprintf+0x54/0xb0 devmkasprintf+0x58/0x80 hdamachineselect.cold+0x198/0x17a2 [sndsofintelhdageneric] sofprobework+0x7f/0x600 [sndsof] processonework+0x17b/0x330 workerthread+0x2ce/0x3f0 kthread+0xcf/0x100 retfromfork+0x31/0x50 retfromfork_asm+0x1a/0x30

kfence-#99: 0x00000000198a940f-0x00000000ace47d9d, size=64, cache=kmalloc-64

allocated by task 333 on cpu 8 at 17.798069s (130.453553s ago): devmkmalloc+0x52/0x120 devmkvasprintf+0x66/0xb0 devmkasprintf+0x58/0x80 hdamachineselect.cold+0x198/0x17a2 [sndsofintelhdageneric] sofprobework+0x7f/0x600 [sndsof] processonework+0x17b/0x330 workerthread+0x2ce/0x3f0 kthread+0xcf/0x100 retfromfork+0x31/0x50 retfromforkasm+0x1a/0x30

freed by task 1543 on cpu 4 at 141.586686s (6.665010s ago): releasenodes+0x43/0xb0 devresreleaseall+0x90/0xf0 deviceunbindcleanup+0xe/0x70 devicereleasedriverinternal+0x1c1/0x200 driverdetach+0x48/0x90 busremovedriver+0x6d/0xf0 pciunregisterdriver+0x42/0xb0 _dosysdeletemodule+0x1d1/0x310 dosyscall64+0x82/0x190 entrySYSCALL64after_hwframe+0x76/0x7e

Fix it by copying the match array with devmkmemduparray() before we modify it.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
5458411d75947a4212e50a401ec0a98d4c6c931b
Fixed
2b49e68360eb6a1c03dc1642a51f7d9f6784c034
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
5458411d75947a4212e50a401ec0a98d4c6c931b
Fixed
f9670b2e81e8a3cbf2e1e757190dd0b920a9d43f
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
5458411d75947a4212e50a401ec0a98d4c6c931b
Fixed
7dd7f39fce0022b386ef1ea5ffef92ecc7dfc6af

Affected versions

v6.*

v6.11
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.12
v6.12-rc1
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.12-rc7
v6.12.1
v6.12.10
v6.12.11
v6.12.12
v6.12.13
v6.12.14
v6.12.15
v6.12.16
v6.12.17
v6.12.18
v6.12.19
v6.12.2
v6.12.20
v6.12.21
v6.12.22
v6.12.23
v6.12.24
v6.12.25
v6.12.26
v6.12.27
v6.12.28
v6.12.29
v6.12.3
v6.12.30
v6.12.4
v6.12.5
v6.12.6
v6.12.7
v6.12.8
v6.12.9
v6.13
v6.13-rc1
v6.13-rc2
v6.13-rc3
v6.13-rc4
v6.13-rc5
v6.13-rc6
v6.13-rc7
v6.14
v6.14-rc1
v6.14-rc2
v6.14-rc3
v6.14-rc4
v6.14-rc5
v6.14-rc6
v6.14-rc7
v6.14.1
v6.14.2
v6.14.3
v6.14.4
v6.14.5
v6.14.6
v6.14.7
v6.14.8
v6.15-rc1
v6.15-rc2
v6.15-rc3
v6.15-rc4
v6.15-rc5

Database specific

vanir_signatures

[
    {
        "id": "CVE-2025-38056-09b4fc60",
        "deprecated": false,
        "signature_version": "v1",
        "target": {
            "file": "sound/soc/sof/intel/hda.c"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "55308001485451977425343271113054499973",
                "188111253530535620355805092056004068752",
                "170989793044965936768205316696109884421",
                "44635167034393527849546067301118568833"
            ]
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7dd7f39fce0022b386ef1ea5ffef92ecc7dfc6af",
        "signature_type": "Line"
    },
    {
        "id": "CVE-2025-38056-2041c5d0",
        "deprecated": false,
        "signature_version": "v1",
        "target": {
            "file": "sound/soc/sof/intel/hda.c"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "55308001485451977425343271113054499973",
                "188111253530535620355805092056004068752",
                "170989793044965936768205316696109884421",
                "44635167034393527849546067301118568833"
            ]
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2b49e68360eb6a1c03dc1642a51f7d9f6784c034",
        "signature_type": "Line"
    },
    {
        "id": "CVE-2025-38056-26afc663",
        "deprecated": false,
        "signature_version": "v1",
        "target": {
            "function": "hda_generic_machine_select",
            "file": "sound/soc/sof/intel/hda.c"
        },
        "digest": {
            "length": 1191.0,
            "function_hash": "62648059952997158988645480356090085989"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2b49e68360eb6a1c03dc1642a51f7d9f6784c034",
        "signature_type": "Function"
    },
    {
        "id": "CVE-2025-38056-5b749d12",
        "deprecated": false,
        "signature_version": "v1",
        "target": {
            "function": "hda_generic_machine_select",
            "file": "sound/soc/sof/intel/hda.c"
        },
        "digest": {
            "length": 1191.0,
            "function_hash": "62648059952997158988645480356090085989"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f9670b2e81e8a3cbf2e1e757190dd0b920a9d43f",
        "signature_type": "Function"
    },
    {
        "id": "CVE-2025-38056-9e75c61d",
        "deprecated": false,
        "signature_version": "v1",
        "target": {
            "file": "sound/soc/sof/intel/hda.c"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "55308001485451977425343271113054499973",
                "188111253530535620355805092056004068752",
                "170989793044965936768205316696109884421",
                "44635167034393527849546067301118568833"
            ]
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f9670b2e81e8a3cbf2e1e757190dd0b920a9d43f",
        "signature_type": "Line"
    },
    {
        "id": "CVE-2025-38056-b6a21c6c",
        "deprecated": false,
        "signature_version": "v1",
        "target": {
            "function": "hda_generic_machine_select",
            "file": "sound/soc/sof/intel/hda.c"
        },
        "digest": {
            "length": 1191.0,
            "function_hash": "62648059952997158988645480356090085989"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7dd7f39fce0022b386ef1ea5ffef92ecc7dfc6af",
        "signature_type": "Function"
    }
]

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.12.0
Fixed
6.12.31
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.14.9