CVE-2026-43137 - Vulnerability Details

- ASoC: SOF: Intel: hda: Fix NULL pointer dereference

Description

In the Linux kernel, the following vulnerability has been resolved:

ASoC: SOF: Intel: hda: Fix NULL pointer dereference

If there's a mismatch between the DAI links in the machine driver and
the topology, it is possible that the playback/capture widget is not
set, especially in the case of loopback capture for echo reference
where we use the dummy DAI link. Return the error when the widget is not
set to avoid a null pointer dereference like below when the topology is
broken.

RIP: 0010:hda_dai_get_ops.isra.0+0x14/0xa0 [snd_sof_intel_hda_common]

Published: 2026-05-06

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The flaw is a null pointer dereference in the Linux kernel’s ASoC SOF Intel HDA driver. When the Digital Audio Interface (DAI) links defined in a machine driver do not match those used by the topology—particularly during loopback capture for echo reference—the code attempts to access a widget that may not be set. This causes a null pointer dereference in hda_dai_get_ops, leading to a kernel crash and a loss of system availability. The attack does not leak information but can cause severe disruption if exploited.

Affected Systems

All Linux kernel releases that include the Intel SOF HDA driver without the patch from commit 10411f1f2c76be67103b1f95822ff629aa25e2aa. The vulnerability is present in kernel versions that provide the SOF audio driver for Intel hardware until the fix is applied. The specific audio subsystem is part of the ASoC architecture within the Linux kernel.

Risk and Exploitability

No CVSS or EPSS score is available, and the vulnerability is not listed in CISA’s KEV catalog, so its exploitation likelihood is unknown. However, the flaw can lead to an out‑of‑memory or kernel panic scenario. The likely attack vector is local or during system boot when the topology is initialized; an attacker who can influence the machine driver or topology configuration could trigger the crash, resulting in a denial of service. Because the code now returns an error instead of dereferencing a null pointer, the impact is mitigated only after the patch is deployed.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 10411f1f2c76be67103b1f95822ff629aa25e2aa
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 42068f7dd42b559c4eeae645e1455ff36518866a
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 7750d78b4014902bc0ac03d4bb30faa076a913ab
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 16c589567a956d46a7c1363af3f64de3d420af20

Linux

affected

Version	Status	Constraints
`6.12.75`	unaffected	≤ 6.12.*
`6.18.16`	unaffected	≤ 6.18.*
`6.19.6`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,10411f1f2c76be67103b1f95822ff629aa25e2aa)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,42068f7dd42b559c4eeae645e1455ff36518866a)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,7750d78b4014902bc0ac03d4bb30faa076a913ab)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,16c589567a956d46a7c1363af3f64de3d420af20)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[6.12.75,6.13.0)`	unaffected	semver	—
`[6.18.16,6.19.0)`	unaffected	semver	—
`[6.19.6,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Linux kernel update that includes the commit referenced in the advisory, or back‑port the fix to the running kernel. This ensures the NULL pointer check is enforced during DAI link validation.
Verify that the DAI link definitions in each machine driver match the corresponding topology entries; mismatches should be corrected to prevent the situation that triggers the crash.
If an immediate kernel upgrade is not possible, disable or bypass the SOF HDA audio driver modules on impacted systems to avoid the crash until the patch can be applied.

Generated by OpenCVE AI on May 6, 2026 at 13:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/10411f1f2c76be67103b1f95822ff629aa25e2aa
https://git.kernel.org/stable/c/16c589567a956d46a7c1363af3f64de3d420af20
https://git.kernel.org/stable/c/42068f7dd42b559c4eeae645e1455ff36518866a
https://git.kernel.org/stable/c/7750d78b4014902bc0ac03d4bb30faa076a913ab

History

Wed, 06 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-476

Wed, 06 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: Intel: hda: Fix NULL pointer dereference If there's a mismatch between the DAI links in the machine driver and the topology, it is possible that the playback/capture widget is not set, especially in the case of loopback capture for echo reference where we use the dummy DAI link. Return the error when the widget is not set to avoid a null pointer dereference like below when the topology is broken. RIP: 0010:hda_dai_get_ops.isra.0+0x14/0xa0 [snd_sof_intel_hda_common]
Title		ASoC: SOF: Intel: hda: Fix NULL pointer dereference
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/10411f1f2c76be67103b1f95822ff629aa25e2aa https://git.kernel.org/stable/c/16c589567a956d46a7c1363af3f64de3d420af20 https://git.kernel.org/stable/c/42068f7dd42b559c4eeae645e1455ff36518866a https://git.kernel.org/stable/c/7750d78b4014902bc0ac03d4bb30faa076a913ab

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-06T11:27:23.592Z

Updated: 2026-05-06T11:27:23.592Z

Reserved: 2026-05-01T14:12:55.988Z

Link: CVE-2026-43137

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-06T12:16:31.007

Modified: 2026-05-06T13:07:51.607

Link: CVE-2026-43137

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-06T15:30:05Z

Weaknesses

CWE-476

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object