CVE-2026-43443 Overview
CVE-2026-43443 affects the Linux kernel's ASoC (ALSA System on Chip) subsystem, specifically the AMD Audio Co-Processor (ACP) machine driver acp-mach-common. The acp_card_rt5682_init() and acp_card_rt5682s_init() functions failed to check the return values of clk_get(). When clock acquisition fails, the resulting invalid pointers are later dereferenced by clock core functions, leading to a kernel crash. The fix replaces clk_get() with the device-managed devm_clk_get() and adds IS_ERR() checks immediately after each clock acquisition.
Critical Impact
Local conditions causing clock acquisition failure can trigger a null pointer dereference in kernel space, resulting in a denial of service through kernel crash on affected AMD audio hardware.
Affected Products
- Linux kernel — ASoC AMD ACP machine driver (acp-mach-common)
- Systems using Realtek RT5682 or RT5682s codecs on AMD ACP audio hardware
- Affected kernel versions are documented in the upstream stable trees referenced below
Discovery Timeline
- 2026-05-08 - CVE-2026-43443 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-43443
Vulnerability Analysis
The vulnerability resides in the AMD ACP machine driver located in the Linux kernel's sound/soc/amd/acp/ directory. The driver supports audio cards using Realtek RT5682 and RT5682s codecs. During card initialization, both acp_card_rt5682_init() and acp_card_rt5682s_init() call clk_get() to obtain references to required clock sources.
The clk_get() function returns either a valid struct clk pointer or an error-encoded pointer on failure. The original code stored the returned pointer without validating it. Later operations on the clock — including clk_set_rate(), clk_prepare_enable(), and other clock core routines — dereferenced these unvalidated pointers. When clk_get() failed, the resulting error pointer triggered a kernel oops.
The vulnerability falls under the Null Pointer Dereference and Improper Input Validation categories. It is a reliability and availability issue rather than a memory corruption or privilege escalation flaw. The EPSS score of 0.024% reflects the low likelihood of remote exploitation.
Root Cause
The root cause is missing return value validation after clock acquisition. Kernel driver code must always check pointers returned by clk_get() using IS_ERR() before use. Additionally, the original code used the non-managed clk_get() variant, requiring manual cleanup with clk_put() and increasing the risk of resource leaks on error paths.
Attack Vector
Triggering the bug requires conditions on the local system that cause clock acquisition to fail during audio card probe. This typically depends on hardware configuration, device tree contents, or platform firmware state. The flaw is not remotely exploitable and does not appear to provide a path to privilege escalation. The impact is a kernel crash affecting system availability.
No public proof-of-concept code is available. The vulnerability mechanism is described in the upstream patch, which is referenced in the Kernel Git Commit Details and the companion Kernel Git Commit Details.
Detection Methods for CVE-2026-43443
Indicators of Compromise
- Kernel oops or panic messages referencing acp_card_rt5682_init or acp_card_rt5682s_init in dmesg or /var/log/kern.log
- Stack traces showing fault addresses inside clock core functions (clk_set_rate, clk_prepare_enable, __clk_get_hw) following ASoC AMD ACP probe
- Audio subsystem initialization failures on AMD platforms with Realtek RT5682/RT5682s codecs
Detection Strategies
- Inventory running kernel versions across Linux endpoints and servers and correlate against the fixed versions documented in the upstream stable trees
- Monitor kernel ring buffers for ASoC subsystem errors and unexpected reboots tied to audio driver initialization
- Track package management events for kernel updates to confirm patched builds are deployed
Monitoring Recommendations
- Centralize journald and dmesg logs through a SIEM to surface repeated kernel oops events referencing the AMD ACP driver
- Alert on kernel crash dumps under /var/crash/ or systemd-coredump artifacts originating from audio subsystem probes
- Review hardware reliability telemetry on AMD laptops and workstations for unexplained kernel-mode crashes during boot
How to Mitigate CVE-2026-43443
Immediate Actions Required
- Apply the upstream Linux kernel patches referenced in the NVD entry to all affected systems
- Update to a distribution kernel that incorporates both commits 0cee68fb7f4c and 30c64fb98399
- Validate audio subsystem behavior after patching on AMD platforms using RT5682 and RT5682s codecs
Patch Information
The fix is delivered through two upstream commits. The patch converts clk_get() calls to devm_clk_get() so the kernel manages clock release automatically, and it adds IS_ERR() checks immediately after each clock acquisition. See the Kernel Git Commit Details and Kernel Git Commit Details for the authoritative source changes. Distribution maintainers backport these commits to supported stable kernel branches.
Workarounds
- Blacklist the snd_soc_acp_mach module on affected systems where audio is not required, preventing the vulnerable initialization paths from executing
- Disable audio in firmware (BIOS/UEFI) on headless deployments that do not need the AMD ACP subsystem
- Restrict physical and local administrative access to reduce the chance of triggering hardware states that produce clock acquisition failures
# Example: blacklist the AMD ACP machine driver until kernel is patched
echo "blacklist snd_soc_acp_mach" | sudo tee /etc/modprobe.d/blacklist-acp-mach.conf
sudo update-initramfs -u
# Verify the running kernel version after patching
uname -r
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
