USB Audio Device Vulnerability in Linux Kernel
CVE-2025-40085

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 29 October 2025

What is CVE-2025-40085?

A vulnerability in the Linux kernel related to ALSA's handling of USB audio devices can cause a NULL pointer dereference during the attempt to register an invalid USB audio device. The issue arises in the try_to_register_card function, where the return value of usb_ifnum_to_if() is incorrectly used without prior validation. This oversight could lead to system crashes or unexpected behavior, highlighting the need for strict validation checks before interfacing with USB components.

Affected Version(s)

Linux 28787ff9fbeaf57684eb64cc33e2ec8ceedf21b5 < 736159f7b296d7a95f7208eb4799639b1f8b16a0

Linux 39efc9c8a973ddff5918191525d1679d0fb368ea < 8d19a7ab28c7b9c207db5c5282afa8cc8595bcdb

Linux 39efc9c8a973ddff5918191525d1679d0fb368ea < 576312eb436326b44b7010f4d9ae2b698df075ea

References

https://git.kernel.org/stable/c/736159f7b296d7a95f7208eb4...

https://git.kernel.org/stable/c/8d19a7ab28c7b9c207db5c528...

https://git.kernel.org/stable/c/576312eb436326b44b7010f4d...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 29, 2025
Vulnerability Reserved
Apr 16, 2025

JSON