CVE-2025-39930 - Vulnerability Details

- ASoC: simple-card-utils: Don't use __free(device_node) at graph_util_parse_dai()

Description

In the Linux kernel, the following vulnerability has been resolved:

ASoC: simple-card-utils: Don't use __free(device_node) at graph_util_parse_dai()

commit 419d1918105e ("ASoC: simple-card-utils: use __free(device_node) for
device node") uses __free(device_node) for dlc->of_node, but we need to
keep it while driver is in use.

Don't use __free(device_node) in graph_util_parse_dai().

Published: 2025-04-18

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability arises when the Linux kernel’s ASoC simple‑card utilities release a device node prematurely by calling __free(device_node) within graph_util_parse_dai(). This mismanagement of memory can lead to a use‑after‑free condition, potentially causing the kernel to crash or behave unpredictably, which in turn could be leveraged for denial of service or, in certain circumstances, by an attacker with local privileges to target kernel memory. The primary impact is a loss of availability and a risk of kernel memory corruption.

Affected Systems

All Linux kernel releases that include the ASoC simple‑card command utilities are potentially affected. The CVE does not list specific kernel versions or patches, so the vulnerability applies broadly to any build that contains the unpatched code path in graph_util_parse_dai(). It is not limited to a particular distribution or vendor beyond the Linux kernel itself.

Risk and Exploitability

With a CVSS score of 5.5 the vulnerability is considered moderate in severity. The EPSS score of less than 1% indicates that the overall probability of exploitation is very low, and the vulnerability is not currently listed in CISA’s KEV catalog. The attack vector is likely local or requires privileged execution, so compromising the system is required for an attacker to exploit the flaw. Given the low exploitation probability and the availability of a patch, the risk to most users remains low, though a kernel crash would result in a denial of service for affected users.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`e03f8d14191142849abad62307d4128afd304521`	affected	< 146e25625378f7d4463acbd1ffbd975f3332a806
`142a386a805809e21361976d566392bcd07870b8`	affected	< 16a49e3fda339aa552cde7f2cdbb25b91426cb8a
`419d1918105e5d9926ab02f1f834bb416dc76f65`	affected	< 232a32e8a7e9be8a2ee238df9b5304eed2f4e195
`419d1918105e5d9926ab02f1f834bb416dc76f65`	affected	< de74ec718e0788e1998eb7289ad07970e27cae27
`6.6.130`	affected	< 6.6.135
`6.12.78`	affected	< 6.12.82

Linux

affected

Version	Status	Constraints
`6.14`	affected	—
`0`	unaffected	< 6.14
`6.6.135`	unaffected	≤ 6.6.*
`6.12.82`	unaffected	≤ 6.12.*
`6.14.2`	unaffected	≤ 6.14.*
`6.15`	unaffected	≤ *

Configuration 1 [-]

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
Linux	Linux Kernel	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a version that includes the patch commit 419d1918105e which removes the premature __free call in graph_util_parse_dai()
If your distribution has not yet released an updated kernel, apply the patch from the Linux kernel git repository and rebuild the kernel, ensuring all ASoC components use the patched code
If updating the kernel is not possible immediately, disable the ASoC module or any unused sound card components to reduce the attack surface.

Generated by OpenCVE AI on April 20, 2026 at 16:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-11815	In the Linux kernel, the following vulnerability has been resolved: ASoC: simple-card-utils: Don't use __free(device_node) at graph_util_parse_dai() commit 419d1918105e ("ASoC: simple-card-utils: use __free(device_node) for device node") uses __free(device_node) for dlc->of_node, but we need to keep it while driver is in use. Don't use __free(device_node) in graph_util_parse_dai().
Ubuntu USN	USN-7594-1	Linux kernel vulnerabilities
Ubuntu USN	USN-7594-2	Linux kernel (Azure) vulnerabilities
Ubuntu USN	USN-7594-3	Linux kernel vulnerabilities

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00036.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/146e25625378f7d4463acbd1ffbd975f3332a806
https://git.kernel.org/stable/c/16a49e3fda339aa552cde7f2cdbb25b91426cb8a
https://git.kernel.org/stable/c/232a32e8a7e9be8a2ee238df9b5304eed2f4e195
https://git.kernel.org/stable/c/de74ec718e0788e1998eb7289ad07970e27cae27
https://lore.kernel.org/linux-cve-announce/2025041821-CVE-2025-39930-6fed@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2025-39930
https://www.cve.org/CVERecord?id=CVE-2025-39930

History

Sat, 18 Apr 2026 09:15:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/146e25625378f7d4463acbd1ffbd975f3332a806 https://git.kernel.org/stable/c/16a49e3fda339aa552cde7f2cdbb25b91426cb8a

Thu, 06 Nov 2025 21:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:o:linux:linux_kernel::::::::

Sat, 19 Apr 2025 02:00:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2025041821-CVE-2025-39930-6fed@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2025-39930 https://www.cve.org/CVERecord?id=CVE-2025-39930
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Low`

Fri, 18 Apr 2025 07:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: ASoC: simple-card-utils: Don't use __free(device_node) at graph_util_parse_dai() commit 419d1918105e ("ASoC: simple-card-utils: use __free(device_node) for device node") uses __free(device_node) for dlc->of_node, but we need to keep it while driver is in use. Don't use __free(device_node) in graph_util_parse_dai().
Title		ASoC: simple-card-utils: Don't use __free(device_node) at graph_util_parse_dai()
References		https://git.kernel.org/stable/c/232a32e8a7e9be8a2ee238df9b5304eed2f4e195 https://git.kernel.org/stable/c/de74ec718e0788e1998eb7289ad07970e27cae27

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2025-04-18T07:01:38.576Z

Updated: 2026-05-23T16:01:00.988Z

Reserved: 2025-04-16T07:20:57.147Z

Link: CVE-2025-39930

Vulnrichment

No data.

NVD

Status : Modified

Published: 2025-04-18T07:15:44.460

Modified: 2026-04-18T09:16:11.863

Link: CVE-2025-39930

Redhat

Severity : Low

Publid Date: 2025-04-18T00:00:00Z

Links: CVE-2025-39930 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-20T16:30:06Z

Weaknesses

NVD-CWE-noinfo

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object