CVE-2025-71286: Memory Allocation Bug in SOF Firmware
Platform
linux
Component
sof
Fixed in
a653820700b81c9e6f05ac23b7969ecec1a18e85
CVE-2025-71286 addresses a memory allocation issue within the SOF (Sound Open Firmware) component of the Linux kernel. This vulnerability stems from an incorrect calculation of the required memory size for bytes controls within the ipc4-topology module, potentially leading to a denial-of-service condition. The vulnerability impacts Linux kernel versions up to and including a653820700b81c9e6f05ac23b7969ecec1a18e85, and a fix is available in version a653820700b81c9e6f05ac23b7969ecec1a18e85.
Impact and Attack Scenarios
The core of this vulnerability lies in the ipc4-topology module's handling of bytes controls. The code incorrectly calculates the size needed to allocate memory for these controls, resulting in an undersized allocation. An attacker could potentially trigger this condition by crafting specific audio processing requests that exploit the memory allocation error. This could lead to a denial-of-service (DoS) attack, crashing the audio subsystem or even the entire kernel. While direct data exfiltration is unlikely, the disruption of audio functionality could have significant consequences for systems relying on audio input or output, such as embedded devices, multimedia servers, and VoIP systems. The blast radius is primarily limited to the affected audio subsystem, but a kernel crash could impact the entire system.
Exploitation Context
As of the publication date, CVE-2025-71286 does not appear on the KEV (Kernel Exploitability Vulnerability) list. The EPSS (Exploit Prediction Scoring System) score is pending evaluation. Public proof-of-concept (POC) code is currently unavailable, suggesting a lower immediate exploitation risk. The vulnerability was published on 2026-05-06, and it's recommended to monitor security advisories and exploit databases for any emerging threats.
Threat Intelligence
Exploit Status
EPSS
0.02% (7% percentile)
Affected Software
Timeline
- Published
- Modified
- EPSS updated
Mitigation and Workarounds
The primary mitigation for CVE-2025-71286 is to upgrade the Linux kernel to version a653820700b81c9e6f05ac23b7969ecec1a18e85 or later, which includes the corrected memory allocation logic. If an immediate upgrade is not feasible due to compatibility concerns or system downtime requirements, consider temporarily disabling the affected SOF features or implementing stricter input validation on audio processing requests. While a WAF or proxy is unlikely to directly mitigate this kernel-level vulnerability, ensuring proper firewall rules and network segmentation can limit potential attack vectors. After upgrading the kernel, confirm the fix by attempting to reproduce the vulnerability scenario (e.g., sending a crafted audio processing request) and verifying that the system remains stable.
How to fix
Actualice el kernel de Linux a la versión 6.6.1 o posterior para corregir la asignación de memoria incorrecta en el controlador SOF. Esta actualización aborda un posible desbordamiento de búfer al asignar memoria para controles de bytes, mejorando la seguridad y la estabilidad del sistema.
Frequently asked questions
What is CVE-2025-71286 — Memory Allocation Bug in SOF Firmware?
CVE-2025-71286 is a vulnerability in the SOF firmware component of the Linux kernel, affecting memory allocation within the ipc4-topology module. This can lead to a denial-of-service if exploited.
Am I affected by CVE-2025-71286 in SOF Firmware?
You are affected if your system runs a Linux kernel version with SOF firmware prior to a653820700b81c9e6f05ac23b7969ecec1a18e85. Check your kernel version using 'uname -r'.
How do I fix CVE-2025-71286 in SOF Firmware?
Upgrade your Linux kernel to version a653820700b81c9e6f05ac23b7969ecec1a18e85 or later. This includes the corrected memory allocation logic.
Is CVE-2025-71286 being actively exploited?
Currently, there is no public evidence of active exploitation, but it's crucial to apply the patch or mitigation as soon as possible.
Where can I find the official SOF advisory for CVE-2025-71286?
Refer to the Linux Kernel Security mailing list and relevant vendor security advisories for updates and official information regarding CVE-2025-71286.
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Try it now — no account
Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
Drag & drop your dependency file
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...