Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71192

CVE-2025-71192: Linux Kernel Use-After-Free Vulnerability

CVE-2025-71192 is a use-after-free flaw in the Linux kernel ALSA AC97 controller that causes improper memory handling during device registration. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2025-71192 Overview

CVE-2025-71192 is a double free vulnerability in the Linux kernel's Advanced Linux Sound Architecture (ALSA) AC97 subsystem. The flaw resides in the snd_ac97_controller_register() function within the AC97 bus driver. When ac97_add_adapter() fails during controller registration, the cleanup path incorrectly calls kfree() on a structure that is also released through its device reference, producing a double free condition. The issue was identified through code review and resolved upstream across multiple stable kernel branches.

Critical Impact

A double free in kernel-allocated memory can lead to memory corruption, kernel panic, or potential local privilege escalation depending on heap state at the time of the second free.

Affected Products

  • Linux kernel (mainline) ALSA AC97 subsystem
  • Linux stable kernel branches referenced by commits 21f8bc51, 830988b6, c80f9b33, cb73d37a, and fcc04c92
  • Distributions shipping affected kernels with AC97 audio support compiled in

Discovery Timeline

  • 2026-02-04 - CVE-2025-71192 published to NVD
  • 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-71192

Vulnerability Analysis

The vulnerability resides in snd_ac97_controller_register(), which registers an AC97 bus adapter and a backing struct device. When ac97_add_adapter() fails, the original error path released the device with kfree(). The device, however, is reference-counted and must be released via put_device() so that the registered release callback performs the final free. Calling kfree() directly bypasses the reference-counting contract and frees memory that the device subsystem also releases, producing a double free.

A related cleanup gap existed when idr_alloc() failed and inside ac97_adapter_release(), where allocated memory was not freed at all. The upstream fix replaces the incorrect kfree() in the error path with put_device() and adds proper kfree() calls in the idr_alloc() failure branch and the adapter release handler to balance allocations.

Root Cause

The root cause is improper object lifetime management for a struct device embedded in the AC97 adapter. Kernel device objects use get_device()/put_device() reference counting paired with a release callback. Mixing manual kfree() with this lifecycle creates a Double Free [CWE-415] when the release callback later frees the same allocation.

Attack Vector

Triggering the flaw requires reaching the failure path of ac97_add_adapter() during AC97 controller registration. This is a local, kernel-internal code path generally exercised during driver initialization on systems with AC97 hardware or emulated AC97 devices. Exploitation potential depends on whether an attacker can influence the failure condition, but the immediate consequence is kernel memory corruption.

No verified proof-of-concept code is available. See the upstream patches for technical details: Kernel Git Commit 21f8bc5, Kernel Git Commit 830988b, Kernel Git Commit c80f9b3, Kernel Git Commit cb73d37, and Kernel Git Commit fcc04c9.

Detection Methods for CVE-2025-71192

Indicators of Compromise

  • Kernel oops or panic messages referencing snd_ac97_controller_register, ac97_add_adapter, or ac97_adapter_release in dmesg or /var/log/kern.log.
  • SLUB/SLAB allocator warnings such as double free or kernel BUG at mm/slub.c correlated with ALSA AC97 driver load events.
  • Unexpected reboots or sound subsystem failures on systems with AC97 audio controllers during module initialization.

Detection Strategies

  • Inventory running kernel versions and compare against the patched stable releases that include commits 21f8bc51, 830988b6, c80f9b33, cb73d37a, and fcc04c92.
  • Enable CONFIG_SLUB_DEBUG and KASAN in test environments to surface double free conditions in the AC97 bus driver path.
  • Hunt for AC97 driver registration failures across host telemetry by querying kernel ring buffer messages for ac97_add_adapter failures.

Monitoring Recommendations

  • Forward dmesg and journald kernel logs to a central data lake and alert on patterns matching snd_ac97_controller_register errors or slab double-free reports.
  • Track kernel package versions across the fleet and flag hosts running pre-patch versions with the AC97 driver loaded (lsmod | grep ac97).
  • Monitor for unscheduled kernel crashes on systems using AC97 audio, including virtualized guests where AC97 is emulated.

How to Mitigate CVE-2025-71192

Immediate Actions Required

  • Apply the latest stable kernel update from your distribution vendor that incorporates the upstream fixes for snd_ac97_controller_register().
  • Reboot affected systems after installing the patched kernel to ensure the corrected driver is loaded.
  • Prioritize patching on systems exposing AC97 audio devices, including legacy hardware and virtual machines configured with emulated AC97 controllers.

Patch Information

The fix replaces the erroneous kfree() in the error path of snd_ac97_controller_register() with put_device(), and adds kfree() in the idr_alloc() failure branch and in ac97_adapter_release(). The patch is available across multiple stable branches via commits 21f8bc51, 830988b6, c80f9b33, cb73d37a, and fcc04c92. Distribution maintainers have backported these changes into their respective kernel updates.

Workarounds

  • If patching is not immediately possible, blacklist the snd_ac97_codec and related AC97 modules on systems that do not require AC97 audio support.
  • For virtualized environments, reconfigure guests to use a different audio device model (for example, Intel HDA) instead of emulated AC97.
  • Restrict local access to systems running unpatched kernels to reduce the attack surface for any local trigger paths.
bash
# Verify kernel version and check for AC97 driver presence
uname -r
lsmod | grep -i ac97

# Optional: blacklist AC97 modules until patched kernel is deployed
echo "blacklist snd_ac97_codec" | sudo tee /etc/modprobe.d/blacklist-ac97.conf
sudo update-initramfs -u

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.