CVE-2026-43412 Overview
CVE-2026-43412 is a Linux kernel vulnerability in the ASoC (ALSA System on Chip) Qualcomm qdsp6 audio driver. The flaw involves incorrect component removal ordering in the q6apm driver during Audio DSP (ADSP) stop and start cycles. When the ADSP stops, the q6apm-audio.remove callback unloads topology and removes PCM runtimes during ASoC teardown. This deletes the runtime descriptors (RTDs) containing q6apm DAI components before their removal pass executes, leaving stale references linked to the sound card. The result is a NULL pointer dereference and kernel crash on the next rebind operation.
Critical Impact
A NULL pointer dereference in the kernel audio subsystem triggers a denial of service on Qualcomm-based Linux systems during ADSP restart cycles.
Affected Products
- Linux kernel ASoC qcom/qdsp6 subsystem
- Qualcomm platforms using q6apm audio components (e.g., Lemans EVK, SA8775P)
- Kernel version 6.19.0-rc6 confirmed in crash trace
Discovery Timeline
- 2026-05-08 - CVE-2026-43412 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-43412
Vulnerability Analysis
The vulnerability resides in the Qualcomm Audio Process Manager (q6apm) component within the kernel's ASoC framework. During ADSP stop and start events, the kernel triggers driver teardown through a process domain restart (PDR) notification handled by the pdr_notifier_wq workqueue. The crash trace shows a NULL pointer dereference at virtual address 0x00000000000000d0 occurring inside mutex_lock, called from soc_dapm_shutdown_dapm in snd_soc_core.
The fault occurs because the q6apm-audio driver's .remove callback dismantles PCM runtimes and unloads topology data while child DAI components remain registered against the sound card. When ASoC subsequently attempts to walk the component list during shutdown or rebind, it dereferences structures that have already been freed or partially torn down.
Root Cause
The root cause is improper ordering of component removal in the ASoC unbind path for Qualcomm DSP drivers. Dependent child components, including q6apm_dai, q6apm_lpass_dais, and topology-linked PCM runtimes, must be removed before the parent q6apm component. The original implementation removed PCM runtimes during the parent's .remove callback, breaking the expected lifecycle ordering and creating dangling pointers in the DAPM (Dynamic Audio Power Management) graph.
Attack Vector
The vulnerability triggers on legitimate ADSP service restart events handled through the PDR (Process Domain Restart) notifier. A local user with the ability to induce ADSP restart, or a fault condition in the remote DSP firmware causing a process domain crash, will trigger the kernel oops. The crash occurs in kernel context and renders the audio subsystem unusable until reboot. The vulnerability is not network-exploitable and requires either physical access or local privileges sufficient to interact with the audio subsystem or DSP service.
The upstream fix ensures all dependent child components unbind first, with the q6apm parent component removed last. Patch details are available in the kernel git commits referenced as Kernel Git Commit 0da170b, Kernel Git Commit 22b05ab, Kernel Git Commit 897f32c, Kernel Git Commit 94bda21, Kernel Git Commit a8e9cab, and Kernel Git Commit d6db827.
Detection Methods for CVE-2026-43412
Indicators of Compromise
- Kernel oops messages referencing mutex_lock+0xc/0x54 called from soc_dapm_shutdown_dapm in snd_soc_core
- NULL pointer dereferences at virtual address 0x00000000000000d0 originating from the pdr_notifier_wq workqueue
- Repeated audio subsystem failures following ADSP process domain restart events on Qualcomm platforms
Detection Strategies
- Monitor kernel ring buffer (dmesg) for Unable to handle kernel NULL pointer dereference entries containing q6apm, snd_soc_core, or pdr_interface module references
- Correlate audio subsystem crashes with PDR notifier events visible in /sys/kernel/debug/qcom_socinfo or remoteproc state transitions
- Track loaded module sets containing snd_q6apm, q6apm_dai, and q6apm_lpass_dais against running kernel versions to confirm patch status
Monitoring Recommendations
- Forward kernel panic and oops logs from Qualcomm-based Linux endpoints to a centralized log aggregation system
- Alert on workqueue-triggered crashes referencing pdr_notifier_work to identify systems impacted by this defect
- Track kernel version inventory across affected SoC platforms to verify patched builds are deployed
How to Mitigate CVE-2026-43412
Immediate Actions Required
- Update affected Linux kernels to a stable release containing the upstream fix from the referenced git commits
- Inventory Qualcomm-based Linux devices, including SA8775P-class automotive and embedded platforms, to identify exposure
- Suspend operations that intentionally cycle the ADSP service on unpatched kernels until updates are applied
Patch Information
The fix reorders component removal so that all dependent (child) ASoC components unbind before the q6apm parent component. Distributors should backport the upstream patches referenced in the kernel git commits to any maintained branches that ship the qdsp6 driver stack. Rebuild and redeploy kernel images for affected hardware, then verify the audio subsystem survives an ADSP restart cycle without producing oops messages.
Workarounds
- Avoid triggering ADSP stop and start sequences on unpatched systems where possible
- Unload the snd_q6apm and dependent modules in the correct dependency order before any planned DSP service restart
- Restrict local access to interfaces that can induce process domain restarts on shared or multi-tenant systems
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
