Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2025-38486

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
28/07/2025
Last modified:
19/11/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> soundwire: Revert "soundwire: qcom: Add set_channel_map api support"<br /> <br /> This reverts commit 7796c97df6b1b2206681a07f3c80f6023a6593d5.<br /> <br /> This patch broke Dragonboard 845c (sdm845). I see:<br /> <br /> Unexpected kernel BRK exception at EL1<br /> Internal error: BRK handler: 00000000f20003e8 [#1] SMP<br /> pc : qcom_swrm_set_channel_map+0x7c/0x80 [soundwire_qcom]<br /> lr : snd_soc_dai_set_channel_map+0x34/0x78<br /> Call trace:<br /> qcom_swrm_set_channel_map+0x7c/0x80 [soundwire_qcom] (P)<br /> sdm845_dai_init+0x18c/0x2e0 [snd_soc_sdm845]<br /> snd_soc_link_init+0x28/0x6c<br /> snd_soc_bind_card+0x5f4/0xb0c<br /> snd_soc_register_card+0x148/0x1a4<br /> devm_snd_soc_register_card+0x50/0xb0<br /> sdm845_snd_platform_probe+0x124/0x148 [snd_soc_sdm845]<br /> platform_probe+0x6c/0xd0<br /> really_probe+0xc0/0x2a4<br /> __driver_probe_device+0x7c/0x130<br /> driver_probe_device+0x40/0x118<br /> __device_attach_driver+0xc4/0x108<br /> bus_for_each_drv+0x8c/0xf0<br /> __device_attach+0xa4/0x198<br /> device_initial_probe+0x18/0x28<br /> bus_probe_device+0xb8/0xbc<br /> deferred_probe_work_func+0xac/0xfc<br /> process_one_work+0x244/0x658<br /> worker_thread+0x1b4/0x360<br /> kthread+0x148/0x228<br /> ret_from_fork+0x10/0x20<br /> Kernel panic - not syncing: BRK handler: Fatal exception<br /> <br /> Dan has also reported following issues with the original patch<br /> https://lore.kernel.org/all/33fe8fe7-719a-405a-9ed2-d9f816ce1d57@sabinyo.mountain/<br /> <br /> Bug #1:<br /> The zeroeth element of ctrl-&gt;pconfig[] is supposed to be unused. We<br /> start counting at 1. However this code sets ctrl-&gt;pconfig[0].ch_mask = 128.<br /> <br /> Bug #2:<br /> There are SLIM_MAX_TX_PORTS (16) elements in tx_ch[] array but only<br /> QCOM_SDW_MAX_PORTS + 1 (15) in the ctrl-&gt;pconfig[] array so it corrupts<br /> memory like Yongqin Liu pointed out.<br /> <br /> Bug 3:<br /> Like Jie Gan pointed out, it erases all the tx information with the rx<br /> information.

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.15 (including) 6.15.8 (excluding)
cpe:2.3:o:linux:linux_kernel:6.16:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.16:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.16:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.16:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.16:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.16:rc6:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools