CVE-2025-71286: SOF Topology Memory Allocation Bug
Plattform
linux
Komponente
sof
Behoben in
a653820700b81c9e6f05ac23b7969ecec1a18e85
CVE-2025-71286 is a security vulnerability affecting the SOF (Sound Open Firmware) component within the Linux kernel. This issue stems from an incorrect calculation of the memory allocation size for bytes controls within the ipc4-topology module, potentially leading to memory corruption. The vulnerability impacts Linux systems running versions prior to a653820700b81c9e6f05ac23b7969ecec1a18e85, and a fix has been implemented in the specified version.
Auswirkungen und Angriffsszenarien
An attacker could exploit this vulnerability by crafting malicious input that triggers the incorrect memory allocation. This could lead to a denial-of-service (DoS) condition, where the system becomes unresponsive or crashes. The potential for data corruption exists if the allocated memory overwrites critical system data. While direct remote code execution is unlikely, a local attacker with sufficient privileges could leverage this vulnerability to gain control of the affected system. The blast radius is limited to the system running the vulnerable SOF component, but widespread adoption of Linux could make this a significant concern.
Ausnutzungskontext
The vulnerability was published on 2026-05-06. Its inclusion in the Linux kernel security updates suggests a potential for exploitation. The EPSS score is pending evaluation. No public proof-of-concept (PoC) code is currently known. Refer to the NVD and CISA advisories for further updates and potential exploitation patterns.
Bedrohungsanalyse
Exploit-Status
EPSS
0.02% (7% Perzentil)
Betroffene Software
Zeitleiste
- Veröffentlicht
- Geändert
- EPSS aktualisiert
Mitigation und Workarounds
The primary mitigation for CVE-2025-71286 is to upgrade to kernel version a653820700b81c9e6f05ac23b7969ecec1a18e85 or later. If a direct upgrade is not feasible due to compatibility issues, consider temporarily disabling the ipc4-topology module. WAFs or proxies are not directly applicable here. Monitoring system logs for errors related to SOF or memory allocation can provide early detection. After upgrading, confirm the fix by verifying the memory allocation size for bytes controls using kernel debugging tools.
So behebenwird übersetzt…
Actualice el kernel de Linux a la versión 6.6.1 o posterior para corregir la asignación de memoria incorrecta en el controlador SOF. Esta actualización aborda un posible desbordamiento de búfer al asignar memoria para controles de bytes, mejorando la seguridad y la estabilidad del sistema.
Häufig gestellte Fragen
Was ist CVE-2025-71286 in SOF (Sound Open Firmware)?
It's a Linux kernel vulnerability in the SOF (Sound Open Firmware) component related to incorrect memory allocation for bytes controls, potentially causing a denial-of-service.
Bin ich von CVE-2025-71286 in SOF (Sound Open Firmware) betroffen?
You are affected if you are running a Linux kernel version prior to a653820700b81c9e6f05ac23b7969ecec1a18e85 and use the SOF component.
Wie behebe ich CVE-2025-71286 in SOF (Sound Open Firmware)?
Upgrade your Linux kernel to version a653820700b81c9e6f05ac23b7969ecec1a18e85 or later to resolve this vulnerability.
Wird CVE-2025-71286 aktiv ausgenutzt?
Currently, there are no known public exploits or active campaigns targeting this vulnerability, but its inclusion in security updates warrants attention.
Wo finde ich den offiziellen SOF (Sound Open Firmware)-Hinweis für CVE-2025-71286?
Refer to the National Vulnerability Database (NVD) and CISA advisories for detailed information and updates on CVE-2025-71286.
Ist dein Projekt betroffen?
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Jetzt testen — kein Konto
Laden Sie ein Manifest hoch (composer.lock, package-lock.json, WordPress Plugin-Liste…) oder fügen Sie Ihre Komponentenliste ein. Sie erhalten sofort einen Schwachstellenbericht. Das Hochladen einer Datei ist nur der Anfang: Mit einem Konto erhalten Sie kontinuierliche Überwachung, Slack/email-Benachrichtigungen, Multi-Projekt- und White-Label-Berichte.
Abhängigkeitsdatei hier ablegen
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...