Impact
In the Linux kernel, the SoundWire Audio Common (SDCA) subsystem performs cleanup by iterating over all SDCA function descriptors and calling sdca_dev_unregister() for each. If earlier part of registration fails or cleanup races with probe deferral, some function descriptor entries remain NULL. Unchecked NULL dereference in this path leads to a kernel oops and can crash the system. The vulnerability is a NULL pointer dereference, identified as CWE‑476. The crash manifests as a NULL pointer dereference in device_del, ultimately terminating the affected kernel instance. Consequently, the primary impact is denial of service, as the system must reboot or be otherwise restored after a crash.
Affected Systems
All Linux kernel distributions that include the ASoC SDCA driver. This includes recent mainstream kernels where the SDCA subsystem is enabled for SoundWire devices, particularly on platforms such as Lenovo ThinkPad X1 Carbon G14 with Panther Lake firmware. The vulnerability affects the ALSA sound subsystem and the soundwire_bus components that register and unregister SDCA functions.
Risk and Exploitability
The CVSS score is 5.5, indicating medium severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting limited public exploitation data. Nonetheless, the nature of a kernel crash can lead to significant disruption. The likely attack vector is local, requiring an attacker to trigger a probe failure or a race condition during driver cleanup, which may be achievable through crafted audio configuration or by manipulating firmware presence. Because exploitation requires code execution in privileged kernel context, the risk is mitigated compared to publicly exploitable user‑space vulnerabilities, but the impact of a successful exploit remains high.
OpenCVE Enrichment