CVE-2026-43478 Overview
CVE-2026-43478 is a NULL pointer dereference vulnerability in the Linux kernel's ALSA System on Chip (ASoC) subsystem. The flaw resides in the rt1011 codec driver, specifically in the rt1011_recv_spk_mode_put() function. The function used an incorrect helper to retrieve the Dynamic Audio Power Management (DAPM) context from a kcontrol object, which returns a NULL pointer. The fix replaces the incorrect lookup with snd_soc_component_to_dapm(), which retrieves the DAPM context from the audio component. Kernel maintainers resolved the issue through commits 30e4b229 and b10b2b15.
Critical Impact
A NULL pointer dereference in the ASoC rt1011 codec path can trigger a kernel oops, resulting in local denial of service on affected Linux systems.
Affected Products
- Linux kernel versions containing the rt1011 ASoC codec driver prior to the patched commits
- Systems using Realtek RT1011 speaker amplifier audio hardware
- Distributions shipping pre-patch stable kernels
Discovery Timeline
- 2026-05-13 - CVE-2026-43478 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-43478
Vulnerability Analysis
The vulnerability exists in the rt1011_recv_spk_mode_put() callback inside the sound/soc/codecs/rt1011.c driver. The function is invoked when userspace writes to a mixer control to change the speaker receive mode. The original code attempted to retrieve the DAPM context using a helper that derived the context from the kcontrol argument. That lookup path does not provide a valid DAPM context for this codec, returning NULL.
When the code subsequently dereferences the NULL DAPM pointer to read or update widget power state, the kernel triggers a NULL pointer dereference. On most configurations this generates a kernel oops, terminating the calling thread and potentially destabilizing the audio subsystem.
Root Cause
The root cause is incorrect API selection inside the codec driver. The mixer put callback received a kcontrol object but used a derivation helper that does not yield a valid DAPM context for the rt1011 component. The patch substitutes snd_soc_component_to_dapm(), which correctly resolves the DAPM context from the bound component pointer obtained via snd_soc_kcontrol_component().
Attack Vector
Exploitation requires local access to the system and the ability to write to ALSA mixer controls exposed by the rt1011 codec. An unprivileged user with permission on /dev/snd/controlC* nodes can invoke the affected control through amixer, alsactl, or direct ioctl calls against the control device. The result is a kernel-side NULL dereference and local denial of service. No remote attack path or privilege escalation primitive has been documented for this issue.
No verified public exploit code is available. The vulnerability mechanism is described in the upstream commit messages referenced below: Kernel Git Commit 30e4b229 and Kernel Git Commit b10b2b15.
Detection Methods for CVE-2026-43478
Indicators of Compromise
- Kernel oops or BUG messages in dmesg referencing rt1011_recv_spk_mode_put or snd_soc_dapm functions on the call stack
- Repeated audio subsystem crashes following writes to rt1011 mixer controls
- Unexpected termination of ALSA control processes such as amixer or alsactl with kernel-side faults
Detection Strategies
- Inventory running kernels and compare against the patched commit hashes 30e4b229 and b10b2b15 to identify unpatched hosts
- Audit loaded kernel modules for the snd_soc_rt1011 driver on systems where it is not required by attached hardware
- Monitor /var/log/kern.log and journald for Oops, general protection fault, or BUG: kernel NULL pointer dereference entries
Monitoring Recommendations
- Forward kernel ring buffer and syslog data to a centralized logging platform for correlation of repeated audio-driver crashes
- Alert on any unprivileged process invoking ALSA control ioctl calls in rapid succession on hosts running the affected codec driver
- Track package and kernel update status across the Linux fleet to confirm timely deployment of stable kernel releases
How to Mitigate CVE-2026-43478
Immediate Actions Required
- Apply the upstream stable kernel updates that include commits 30e4b229 and b10b2b15 to the rt1011 codec driver
- Identify systems with Realtek RT1011 audio hardware and prioritize kernel patching on those hosts first
- Restrict access to ALSA control device nodes on multi-user systems to limit which accounts can trigger codec mixer callbacks
Patch Information
The fix is published in the Linux stable tree. Review the patches at Kernel Git Commit 30e4b229 and Kernel Git Commit b10b2b15. Distribution kernels rebased on the affected stable branches should pick up the change automatically. Verify the running kernel version after update with uname -r and confirm the patch is present in the distribution changelog.
Workarounds
- Unload the snd_soc_rt1011 module on systems that do not depend on the codec using modprobe -r snd_soc_rt1011
- Blacklist the module by adding blacklist snd_soc_rt1011 to a file in /etc/modprobe.d/ where audio functionality is not required
- Tighten permissions on /dev/snd/control* nodes via udev rules to restrict mixer access to trusted users
# Configuration example
# Blacklist the affected codec module on systems that do not need it
echo 'blacklist snd_soc_rt1011' | sudo tee /etc/modprobe.d/cve-2026-43478.conf
sudo update-initramfs -u
# Verify the patched kernel is running
uname -r
dmesg | grep -i rt1011
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
