CVE-2026-43443 - Vulnerability Details

- ASoC: amd: acp-mach-common: Add missing error check for clock acquisition

Description

In the Linux kernel, the following vulnerability has been resolved:

ASoC: amd: acp-mach-common: Add missing error check for clock acquisition

The acp_card_rt5682_init() and acp_card_rt5682s_init() functions did not
check the return values of clk_get(). This could lead to a kernel crash
when the invalid pointers are later dereferenced by clock core
functions.

Fix this by:
1. Changing clk_get() to the device-managed devm_clk_get().
2. Adding IS_ERR() checks immediately after each clock acquisition.

Published: 2026-05-08

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability stems from missing error handling when acquiring clocks in the AMD ACP audio driver. Without checking the return value of clk_get(), an invalid pointer may be returned and later dereferenced by the clock core, causing a kernel crash. This results in a denial of service by bringing the system down because the kernel panics rather than gracefully handling the failure.

Affected Systems

The flaw affects the Linux kernel driver stack for AMD ACP audio devices, specifically the acp_card_rt5682_init() and acp_card_rt5682s_init() functions. Any Linux installation that includes these drivers could be impacted. The exact kernel versions are not listed, so operators should assume all kernels before the patch are potentially vulnerable.

Risk and Exploitability

EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog, indicating that public exploitation data is lacking. The CVSS score is 5.5, indicating medium severity. Based on the description, it is inferred that an attacker would need the ability to load or reinitialize the affected driver, which typically implies local access. The risk is high if the vulnerability can be triggered, as a kernel panic leads to a complete loss of service, but the likelihood of widespread exploitation remains uncertain due to the lack of known public exploits.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`d4c750f2c7d44b5b39e197308bc3f510205bba4b`	affected	< 0cee68fb7f4cf1562e067c5a82d25062a973b0d0
`d4c750f2c7d44b5b39e197308bc3f510205bba4b`	affected	< 30c64fb9839949f085c8eb55b979cbd8a4c51f00

Linux

affected

Version	Status	Constraints
`5.16`	affected	—
`0`	unaffected	< 5.16
`6.19.9`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[d4c750f2c7d44b5b39e197308bc3f510205bba4b,0cee68fb7f4cf1562e067c5a82d25062a973b0d0)`	affected	code_commit	—
`[d4c750f2c7d44b5b39e197308bc3f510205bba4b,30c64fb9839949f085c8eb55b979cbd8a4c51f00)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`5.16`	affected	generic	—
`[0,5.16)`	unaffected	generic	—
`[6.19.9,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the kernel patch that replaces clk_get() with devm_clk_get() and adds IS_ERR() checks. This is the official fix provided by the Linux kernel maintainers.
If an immediate kernel upgrade is unavailable, disable or unload the offending ACP audio driver modules to prevent initialization of the vulnerable code.
Continuously monitor system logs for clock acquisition failures or kernel panics; if crashes are detected, plan a prompt kernel update.

Generated by OpenCVE AI on May 9, 2026 at 13:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/0cee68fb7f4cf1562e067c5a82d25062a973b0d0
https://git.kernel.org/stable/c/30c64fb9839949f085c8eb55b979cbd8a4c51f00
https://lore.kernel.org/linux-cve-announce/2026050855-CVE-2026-43443-d120@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-43443
https://www.cve.org/CVERecord?id=CVE-2026-43443

History

Sat, 09 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-390
References		https://lore.kernel.org/linux-cve-announce/2026050855-CVE-2026-43443-d120@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-43443 https://www.cve.org/CVERecord?id=CVE-2026-43443
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Fri, 08 May 2026 18:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-476

Fri, 08 May 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: ASoC: amd: acp-mach-common: Add missing error check for clock acquisition The acp_card_rt5682_init() and acp_card_rt5682s_init() functions did not check the return values of clk_get(). This could lead to a kernel crash when the invalid pointers are later dereferenced by clock core functions. Fix this by: 1. Changing clk_get() to the device-managed devm_clk_get(). 2. Adding IS_ERR() checks immediately after each clock acquisition.
Title		ASoC: amd: acp-mach-common: Add missing error check for clock acquisition
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0cee68fb7f4cf1562e067c5a82d25062a973b0d0 https://git.kernel.org/stable/c/30c64fb9839949f085c8eb55b979cbd8a4c51f00

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-08T14:22:11.303Z

Updated: 2026-05-08T14:22:11.303Z

Reserved: 2026-05-01T14:12:56.009Z

Link: CVE-2026-43443

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-08T15:16:56.780

Modified: 2026-05-08T15:16:56.780

Link: CVE-2026-43443

Redhat

Severity : Moderate

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43443 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-09T14:00:06Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object