{"id":"CVE-2025-40275","summary":"ALSA: usb-audio: Fix NULL pointer dereference in snd_usb_mixer_controls_badd","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Fix NULL pointer dereference in snd_usb_mixer_controls_badd\n\nIn snd_usb_create_streams(), for UAC version 3 devices, the Interface\nAssociation Descriptor (IAD) is retrieved via usb_ifnum_to_if(). If this\ncall fails, a fallback routine attempts to obtain the IAD from the next\ninterface and sets a BADD profile. However, snd_usb_mixer_controls_badd()\nassumes that the IAD retrieved from usb_ifnum_to_if() is always valid,\nwithout performing a NULL check. This can lead to a NULL pointer\ndereference when usb_ifnum_to_if() fails to find the interface descriptor.\n\nThis patch adds a NULL pointer check after calling usb_ifnum_to_if() in\nsnd_usb_mixer_controls_badd() to prevent the dereference.\n\nThis issue was discovered by syzkaller, which triggered the bug by sending\na crafted USB device descriptor.","modified":"2026-04-02T12:48:21.232346Z","published":"2025-12-06T21:50:57.914Z","related":["MGASA-2026-0017","MGASA-2026-0018","SUSE-SU-2026:0278-1","SUSE-SU-2026:0281-1","SUSE-SU-2026:0293-1","SUSE-SU-2026:0315-1","SUSE-SU-2026:0316-1","SUSE-SU-2026:20207-1","SUSE-SU-2026:20220-1","SUSE-SU-2026:20228-1","SUSE-SU-2026:20477-1","SUSE-SU-2026:20498-1","SUSE-SU-2026:20845-1","SUSE-SU-2026:20876-1","openSUSE-SU-2026:20145-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40275.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/23aea9c74aeea2625aaf4fbcc6beb9d09e30f9e4"},{"type":"WEB","url":"https://git.kernel.org/stable/c/2762d3ea9c929ca4094541ca517c317ffa94625b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/57f607c112966c21240c424b33e2cb71e121dcf0"},{"type":"WEB","url":"https://git.kernel.org/stable/c/632108ec072ad64c8c83db6e16a7efee29ebfb74"},{"type":"WEB","url":"https://git.kernel.org/stable/c/85568535893600024d7d8794f4f8b6428b521e0c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9f282104627be5fbded3102ff9004f753c55a063"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c5c08965ab96b16361e69a1e2a0e89dbcb99b5a6"},{"type":"WEB","url":"https://git.kernel.org/stable/c/cbdbfc756f2990942138ed0138da9303b4dbf9ff"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40275.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-40275"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"17156f23e93c0f59e06dd2aaffd06221341caaee"},{"fixed":"23aea9c74aeea2625aaf4fbcc6beb9d09e30f9e4"},{"fixed":"c5c08965ab96b16361e69a1e2a0e89dbcb99b5a6"},{"fixed":"9f282104627be5fbded3102ff9004f753c55a063"},{"fixed":"2762d3ea9c929ca4094541ca517c317ffa94625b"},{"fixed":"57f607c112966c21240c424b33e2cb71e121dcf0"},{"fixed":"cbdbfc756f2990942138ed0138da9303b4dbf9ff"},{"fixed":"85568535893600024d7d8794f4f8b6428b521e0c"},{"fixed":"632108ec072ad64c8c83db6e16a7efee29ebfb74"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-40275.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"4.18.0"},{"fixed":"5.4.302"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.5.0"},{"fixed":"5.10.247"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.197"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.159"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.117"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.59"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.17.9"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-40275.json"}}],"schema_version":"1.7.5"}