CVE-2025-38438
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
25/07/2025
Last modified:
19/11/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
ASoC: SOF: Intel: hda: Use devm_kstrdup() to avoid memleak.<br />
<br />
sof_pdata->tplg_filename can have address allocated by kstrdup()<br />
and can be overwritten. Memory leak was detected with kmemleak:<br />
<br />
unreferenced object 0xffff88812391ff60 (size 16):<br />
comm "kworker/4:1", pid 161, jiffies 4294802931<br />
hex dump (first 16 bytes):<br />
73 6f 66 2d 68 64 61 2d 67 65 6e 65 72 69 63 00 sof-hda-generic.<br />
backtrace (crc 4bf1675c):<br />
__kmalloc_node_track_caller_noprof+0x49c/0x6b0<br />
kstrdup+0x46/0xc0<br />
hda_machine_select.cold+0x1de/0x12cf [snd_sof_intel_hda_generic]<br />
sof_init_environment+0x16f/0xb50 [snd_sof]<br />
sof_probe_continue+0x45/0x7c0 [snd_sof]<br />
sof_probe_work+0x1e/0x40 [snd_sof]<br />
process_one_work+0x894/0x14b0<br />
worker_thread+0x5e5/0xfb0<br />
kthread+0x39d/0x760<br />
ret_from_fork+0x31/0x70<br />
ret_from_fork_asm+0x1a/0x30
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.2 (including) | 6.12.39 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.13 (including) | 6.15.7 (excluding) |
| cpe:2.3:o:linux:linux_kernel:6.16:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.16:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.16:rc3:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page