CVE-2024-42088: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: ASoC: mediatek: mt8195: Add platform entry for ETDM1_OUT_BE dai link Commit e70b8dd26711 ("ASoC: mediatek: mt8195: Remove afe-dai component and rework codec link") removed the codec entry for the ETDM1_OUT_BE dai link entirely instead of replacing it with COMP_EMPTY(). This worked by accident as the remaining COMP_EMPTY() platform entry became the codec entry, and the platform entry became completely empty, effectively the same as COMP_DUMMY() since snd_soc_fill_dummy_dai() doesn't do anything for platform entries. This causes a KASAN out-of-bounds warning in mtk_soundcard_common_probe() in sound/soc/mediatek/common/mtk-soundcard-driver.c: for_each_card_prelinks(card, i, dai_link) { if (adsp_node && !strncmp(dai_link->name, "AFE_SOF", strlen("AFE_SOF"))) dai_link->platforms->of_node = adsp_node; else if (!dai_link->platforms->name && !dai_link->platforms->of_node) dai_link->platforms->of_node = platform_node; } where the code expects the platforms array to have space for at least one entry. Add an COMP_EMPTY() entry so that dai_link->platforms has space.
AI Analysis
Technical Summary
CVE-2024-42088 is a vulnerability identified in the Linux kernel specifically affecting the ALSA System on Chip (ASoC) subsystem for MediaTek mt8195 audio hardware. The issue arises from a recent code change (commit e70b8dd26711) that removed the codec entry for the ETDM1_OUT_BE dai link without properly replacing it with a COMP_EMPTY() placeholder. This resulted in the platform entry becoming empty, effectively equivalent to COMP_DUMMY(), which does not allocate any platform entries. The kernel code in mtk_soundcard_common_probe() expects the platforms array to have at least one valid entry. Due to the missing entry, the code attempts to access an out-of-bounds index in the platforms array, triggering a Kernel Address Sanitizer (KASAN) out-of-bounds warning. This indicates a potential memory safety issue where the kernel accesses invalid memory, which could lead to undefined behavior including kernel crashes or memory corruption. The vulnerability is rooted in the sound/soc/mediatek/common/mtk-soundcard-driver.c source file and specifically impacts the handling of device audio interface (DAI) links for MediaTek mt8195 SoCs. The fix involves adding a COMP_EMPTY() entry to ensure the platforms array has the expected space, preventing out-of-bounds access. No known exploits are reported in the wild, and no CVSS score has been assigned yet. The affected versions correspond to the specific commit hash e70b8dd26711, indicating this is a regression introduced by a recent kernel patch. This vulnerability is technical and low-level, impacting kernel sound driver stability and memory safety rather than directly enabling privilege escalation or remote code execution. However, kernel memory corruption issues can be leveraged in complex attack chains, especially if combined with other vulnerabilities.
Potential Impact
For European organizations, the impact of CVE-2024-42088 primarily concerns systems running Linux kernels with MediaTek mt8195 audio hardware support, which may be found in embedded devices, IoT equipment, or specialized industrial hardware. The vulnerability can cause kernel crashes or instability in affected devices, potentially leading to denial of service conditions. While this does not directly expose confidential data or allow remote code execution, kernel memory corruption vulnerabilities can be a stepping stone for attackers to escalate privileges or cause system outages. Organizations relying on Linux-based embedded systems with MediaTek mt8195 SoCs in critical infrastructure, manufacturing, or telecommunications could face operational disruptions if the vulnerability is triggered. Additionally, the lack of known exploits reduces immediate risk, but the presence of a kernel memory safety issue warrants timely patching to prevent future exploitation. The impact is more pronounced in environments where device availability and reliability are critical, such as industrial control systems or network equipment. European organizations with supply chains or products incorporating MediaTek mt8195 hardware should assess their exposure and prioritize remediation to maintain system integrity and availability.
Mitigation Recommendations
1. Apply the official Linux kernel patch that adds the COMP_EMPTY() entry to the ETDM1_OUT_BE dai link platforms array as soon as it becomes available in stable kernel releases. 2. For embedded devices or IoT systems using MediaTek mt8195 SoCs, coordinate with hardware vendors or device manufacturers to obtain updated firmware or kernel versions incorporating the fix. 3. Conduct thorough testing of updated kernels in staging environments to ensure stability and compatibility before deployment. 4. Monitor kernel logs for KASAN warnings or out-of-bounds errors related to mtk_soundcard_common_probe() as indicators of attempted exploitation or instability. 5. Implement kernel hardening measures such as Kernel Address Space Layout Randomization (KASLR), Kernel Page Table Isolation (KPTI), and enabling KASAN in development environments to detect similar issues early. 6. Limit access to vulnerable devices and restrict untrusted user interactions that could trigger the vulnerable code path. 7. Maintain an inventory of Linux-based devices with MediaTek mt8195 hardware to prioritize patching and risk assessment. 8. Engage with Linux kernel security mailing lists and advisories to stay informed about updates or emerging exploits related to this vulnerability.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Poland, Sweden, Finland, Belgium
CVE-2024-42088: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: ASoC: mediatek: mt8195: Add platform entry for ETDM1_OUT_BE dai link Commit e70b8dd26711 ("ASoC: mediatek: mt8195: Remove afe-dai component and rework codec link") removed the codec entry for the ETDM1_OUT_BE dai link entirely instead of replacing it with COMP_EMPTY(). This worked by accident as the remaining COMP_EMPTY() platform entry became the codec entry, and the platform entry became completely empty, effectively the same as COMP_DUMMY() since snd_soc_fill_dummy_dai() doesn't do anything for platform entries. This causes a KASAN out-of-bounds warning in mtk_soundcard_common_probe() in sound/soc/mediatek/common/mtk-soundcard-driver.c: for_each_card_prelinks(card, i, dai_link) { if (adsp_node && !strncmp(dai_link->name, "AFE_SOF", strlen("AFE_SOF"))) dai_link->platforms->of_node = adsp_node; else if (!dai_link->platforms->name && !dai_link->platforms->of_node) dai_link->platforms->of_node = platform_node; } where the code expects the platforms array to have space for at least one entry. Add an COMP_EMPTY() entry so that dai_link->platforms has space.
AI-Powered Analysis
Technical Analysis
CVE-2024-42088 is a vulnerability identified in the Linux kernel specifically affecting the ALSA System on Chip (ASoC) subsystem for MediaTek mt8195 audio hardware. The issue arises from a recent code change (commit e70b8dd26711) that removed the codec entry for the ETDM1_OUT_BE dai link without properly replacing it with a COMP_EMPTY() placeholder. This resulted in the platform entry becoming empty, effectively equivalent to COMP_DUMMY(), which does not allocate any platform entries. The kernel code in mtk_soundcard_common_probe() expects the platforms array to have at least one valid entry. Due to the missing entry, the code attempts to access an out-of-bounds index in the platforms array, triggering a Kernel Address Sanitizer (KASAN) out-of-bounds warning. This indicates a potential memory safety issue where the kernel accesses invalid memory, which could lead to undefined behavior including kernel crashes or memory corruption. The vulnerability is rooted in the sound/soc/mediatek/common/mtk-soundcard-driver.c source file and specifically impacts the handling of device audio interface (DAI) links for MediaTek mt8195 SoCs. The fix involves adding a COMP_EMPTY() entry to ensure the platforms array has the expected space, preventing out-of-bounds access. No known exploits are reported in the wild, and no CVSS score has been assigned yet. The affected versions correspond to the specific commit hash e70b8dd26711, indicating this is a regression introduced by a recent kernel patch. This vulnerability is technical and low-level, impacting kernel sound driver stability and memory safety rather than directly enabling privilege escalation or remote code execution. However, kernel memory corruption issues can be leveraged in complex attack chains, especially if combined with other vulnerabilities.
Potential Impact
For European organizations, the impact of CVE-2024-42088 primarily concerns systems running Linux kernels with MediaTek mt8195 audio hardware support, which may be found in embedded devices, IoT equipment, or specialized industrial hardware. The vulnerability can cause kernel crashes or instability in affected devices, potentially leading to denial of service conditions. While this does not directly expose confidential data or allow remote code execution, kernel memory corruption vulnerabilities can be a stepping stone for attackers to escalate privileges or cause system outages. Organizations relying on Linux-based embedded systems with MediaTek mt8195 SoCs in critical infrastructure, manufacturing, or telecommunications could face operational disruptions if the vulnerability is triggered. Additionally, the lack of known exploits reduces immediate risk, but the presence of a kernel memory safety issue warrants timely patching to prevent future exploitation. The impact is more pronounced in environments where device availability and reliability are critical, such as industrial control systems or network equipment. European organizations with supply chains or products incorporating MediaTek mt8195 hardware should assess their exposure and prioritize remediation to maintain system integrity and availability.
Mitigation Recommendations
1. Apply the official Linux kernel patch that adds the COMP_EMPTY() entry to the ETDM1_OUT_BE dai link platforms array as soon as it becomes available in stable kernel releases. 2. For embedded devices or IoT systems using MediaTek mt8195 SoCs, coordinate with hardware vendors or device manufacturers to obtain updated firmware or kernel versions incorporating the fix. 3. Conduct thorough testing of updated kernels in staging environments to ensure stability and compatibility before deployment. 4. Monitor kernel logs for KASAN warnings or out-of-bounds errors related to mtk_soundcard_common_probe() as indicators of attempted exploitation or instability. 5. Implement kernel hardening measures such as Kernel Address Space Layout Randomization (KASLR), Kernel Page Table Isolation (KPTI), and enabling KASAN in development environments to detect similar issues early. 6. Limit access to vulnerable devices and restrict untrusted user interactions that could trigger the vulnerable code path. 7. Maintain an inventory of Linux-based devices with MediaTek mt8195 hardware to prioritize patching and risk assessment. 8. Engage with Linux kernel security mailing lists and advisories to stay informed about updates or emerging exploits related to this vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-07-29T15:50:41.171Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9827c4522896dcbe19f8
Added to database: 5/21/2025, 9:08:55 AM
Last enriched: 6/29/2025, 4:57:26 AM
Last updated: 8/1/2025, 7:37:01 AM
Views: 12
Related Threats
CVE-2025-8878: CWE-94 Improper Control of Generation of Code ('Code Injection') in properfraction Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
MediumCVE-2025-8143: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pencidesign Soledad
MediumCVE-2025-8142: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in pencidesign Soledad
HighCVE-2025-8105: CWE-94 Improper Control of Generation of Code ('Code Injection') in pencidesign Soledad
HighCVE-2025-8719: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in reubenthiessen Translate This gTranslate Shortcode
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.