CVE-2025-71286 Overview
CVE-2025-71286 is a Linux kernel vulnerability in the ASoC (ALSA System on Chip) Sound Open Firmware (SOF) IPC4 topology subsystem. The flaw involves an incorrect allocation size calculation for bytes controls within the sof_ipc4_control_data structure. The kernel allocated memory based only on the topology-supplied max_size, which describes the payload plus sof_abi_hdr, without accounting for the kernel-internal sof_ipc4_control_data header. The fix corrects the allocation by adding the kernel-only structure size to the buffer behind scontrol->ipc_control_data.
Critical Impact
Insufficient buffer allocation in the SOF IPC4 topology handler can lead to out-of-bounds memory access when bytes controls are processed, potentially causing kernel memory corruption or instability on affected audio subsystems.
Affected Products
- Linux kernel branches containing the ASoC SOF IPC4 topology driver
- Systems using Sound Open Firmware (SOF) audio subsystems
- Distributions shipping the affected stable kernel trees prior to the referenced fix commits
Discovery Timeline
- 2026-05-06 - CVE-2025-71286 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2025-71286
Vulnerability Analysis
The vulnerability resides in the SOF IPC4 topology code path that allocates the buffer referenced by scontrol->ipc_control_data for bytes controls. The data layout behind that pointer consists of two logical regions: the kernel-only struct sof_ipc4_control_data header, followed by struct sof_abi_hdr plus the control payload. Topology metadata supplies max_size, which represents only the second region.
The original allocator used max_size directly as the allocation size. As a result, the buffer was too small to contain the leading sof_ipc4_control_data header that the kernel writes and reads. Subsequent accesses to the header fields, or to the payload positioned after it, operate beyond the allocated extent.
Root Cause
The root cause is an [CWE-131] incorrect calculation of buffer size. The allocation function failed to add sizeof(struct sof_ipc4_control_data) to the topology-provided max_size before requesting memory. The corrected logic allocates sizeof(struct sof_ipc4_control_data) + max_size so the buffer holds both the kernel header and the ABI header plus payload.
Attack Vector
Exploitation requires a code path that processes SOF IPC4 bytes controls with topology-supplied sizes. A local attacker with the ability to load a crafted SOF topology file, or interact with the audio control interface on a system using SOF, could trigger reads or writes past the undersized allocation. The vulnerability primarily presents as a kernel memory safety issue on systems with SOF-backed audio devices.
The upstream fix is documented across the kernel stable commits referenced in the Kernel Git Commit #491956b and Kernel Git Commit #a653820 trees. No public proof-of-concept exploit is available.
Detection Methods for CVE-2025-71286
Indicators of Compromise
- Kernel log messages from the snd_sof modules referencing bytes control allocation failures or unexpected sizes
- Audio subsystem crashes, KASAN reports, or slab-out-of-bounds warnings tied to sof_ipc4_control_data
- Unexpected loading of non-vendor SOF topology files on endpoints
Detection Strategies
- Inventory running kernel versions and compare against the fixed commits in the upstream stable trees
- Enable KASAN on test systems to surface out-of-bounds access in the SOF IPC4 topology path
- Audit /lib/firmware/intel/sof-tplg/ and equivalent directories for unauthorized topology file modifications
Monitoring Recommendations
- Forward kernel ring buffer and journald logs to a centralized log platform and alert on sof and ASoC error patterns
- Track package and kernel update status across the fleet to confirm patched builds are deployed
- Monitor for unexpected kernel module loads or audio firmware reloads on production systems
How to Mitigate CVE-2025-71286
Immediate Actions Required
- Apply the upstream Linux kernel patches referenced in the stable commits and rebuild or update affected kernels
- Update to a distribution kernel package that includes the fix once published by the vendor
- Restrict local user access to systems where kernel updates cannot yet be applied
Patch Information
The fix changes the allocation logic so the buffer behind scontrol->ipc_control_data includes both sizeof(struct sof_ipc4_control_data) and the topology-supplied max_size. Patches are published in the upstream kernel stable trees: Kernel Git Commit #1237cd9, Kernel Git Commit #491956b, Kernel Git Commit #59fe643, Kernel Git Commit #a653820, and Kernel Git Commit #a704a1a.
Workarounds
- Disable the snd_sof family of modules on systems that do not require SOF audio support
- Restrict write access to firmware and topology directories so only privileged provisioning processes can modify them
- Limit local interactive access on systems running unpatched kernels with SOF audio enabled
# Block loading of the SOF audio modules until a patched kernel is deployed
echo 'install snd_sof /bin/true' | sudo tee /etc/modprobe.d/disable-snd-sof.conf
echo 'install snd_sof_pci /bin/true' | sudo tee -a /etc/modprobe.d/disable-snd-sof.conf
sudo update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
