{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-39930", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-04-16T07:20:57.147Z", "datePublished": "2025-04-18T07:01:38.576Z", "dateUpdated": "2026-05-11T21:39:10.429Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T21:39:10.429Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: simple-card-utils: Don't use __free(device_node) at graph_util_parse_dai()\n\ncommit 419d1918105e (\"ASoC: simple-card-utils: use __free(device_node) for\ndevice node\") uses __free(device_node) for dlc->of_node, but we need to\nkeep it while driver is in use.\n\nDon't use __free(device_node) in graph_util_parse_dai()."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["sound/soc/generic/simple-card-utils.c"], "versions": [{"version": "e03f8d14191142849abad62307d4128afd304521", "lessThan": "146e25625378f7d4463acbd1ffbd975f3332a806", "status": "affected", "versionType": "git"}, {"version": "142a386a805809e21361976d566392bcd07870b8", "lessThan": "16a49e3fda339aa552cde7f2cdbb25b91426cb8a", "status": "affected", "versionType": "git"}, {"version": "419d1918105e5d9926ab02f1f834bb416dc76f65", "lessThan": "232a32e8a7e9be8a2ee238df9b5304eed2f4e195", "status": "affected", "versionType": "git"}, {"version": "419d1918105e5d9926ab02f1f834bb416dc76f65", "lessThan": "de74ec718e0788e1998eb7289ad07970e27cae27", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["sound/soc/generic/simple-card-utils.c"], "versions": [{"version": "6.14", "status": "affected"}, {"version": "0", "lessThan": "6.14", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.135", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.82", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.14.2", "lessThanOrEqual": "6.14.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.15", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6.130", "versionEndExcluding": "6.6.135"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12.78", "versionEndExcluding": "6.12.82"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.14", "versionEndExcluding": "6.14.2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.14", "versionEndExcluding": "6.15"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/146e25625378f7d4463acbd1ffbd975f3332a806"}, {"url": "https://git.kernel.org/stable/c/16a49e3fda339aa552cde7f2cdbb25b91426cb8a"}, {"url": "https://git.kernel.org/stable/c/232a32e8a7e9be8a2ee238df9b5304eed2f4e195"}, {"url": "https://git.kernel.org/stable/c/de74ec718e0788e1998eb7289ad07970e27cae27"}], "title": "ASoC: simple-card-utils: Don't use __free(device_node) at graph_util_parse_dai()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "FADAE5D8-4808-442C-B218-77B2CE8780A0", "versionEndExcluding": "6.14.2", "versionStartIncluding": "6.14", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: simple-card-utils: Don't use __free(device_node) at graph_util_parse_dai()\n\ncommit 419d1918105e (\"ASoC: simple-card-utils: use __free(device_node) for\ndevice node\") uses __free(device_node) for dlc->of_node, but we need to\nkeep it while driver is in use.\n\nDon't use __free(device_node) in graph_util_parse_dai()."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ASoC: simple-card-utils: No usar __free(device_node) en el commit 419d1918105e de graph_util_parse_dai() (\"ASoC: simple-card-utils: usar __free(device_node) para el nodo de dispositivo\") usa __free(device_node) para dlc->of_node, pero es necesario mantenerlo mientras se usa el controlador. No usar __free(device_node) en graph_util_parse_dai()."}], "id": "CVE-2025-39930", "lastModified": "2026-04-18T09:16:11.863", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-04-18T07:15:44.460", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/146e25625378f7d4463acbd1ffbd975f3332a806"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/16a49e3fda339aa552cde7f2cdbb25b91426cb8a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/232a32e8a7e9be8a2ee238df9b5304eed2f4e195"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/de74ec718e0788e1998eb7289ad07970e27cae27"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: ASoC: simple-card-utils: Don't use __free(device_node) at graph_util_parse_dai()", "id": "2360933", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2360933"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nASoC: simple-card-utils: Don't use __free(device_node) at graph_util_parse_dai()\ncommit 419d1918105e (\"ASoC: simple-card-utils: use __free(device_node) for\ndevice node\") uses __free(device_node) for dlc->of_node, but we need to\nkeep it while driver is in use.\nDon't use __free(device_node) in graph_util_parse_dai()."], "name": "CVE-2025-39930", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-04-18T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-39930\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-39930\nhttps://lore.kernel.org/linux-cve-announce/2025041821-CVE-2025-39930-6fed@gregkh/T"], "threat_severity": "Low"}

{"analysis": {"en": {"generated_at": "2026-04-20T16:25:43.058475+00:00", "value": {"mitigation_remediation": ["Update the Linux kernel to a version that includes the patch commit 419d1918105e which removes the premature __free call in graph_util_parse_dai()", "If your distribution has not yet released an updated kernel, apply the patch from the Linux kernel git repository and rebuild the kernel, ensuring all ASoC components use the patched code", "If updating the kernel is not possible immediately, disable the ASoC module or any unused sound card components to reduce the attack surface."], "summary": {"action": "Immediate Patch", "impact": "Use\u2011After\u2011Free leading to kernel crash"}, "threat_synthesis": {"affected_systems": "All Linux kernel releases that include the ASoC simple\u2011card command utilities are potentially affected. The CVE does not list specific kernel versions or patches, so the vulnerability applies broadly to any build that contains the unpatched code path in graph_util_parse_dai(). It is not limited to a particular distribution or vendor beyond the Linux kernel itself.", "description_and_impact": "The vulnerability arises when the Linux kernel\u2019s ASoC simple\u2011card utilities release a device node prematurely by calling __free(device_node) within graph_util_parse_dai(). This mismanagement of memory can lead to a use\u2011after\u2011free condition, potentially causing the kernel to crash or behave unpredictably, which in turn could be leveraged for denial of service or, in certain circumstances, by an attacker with local privileges to target kernel memory. The primary impact is a loss of availability and a risk of kernel memory corruption.", "risk_and_exploitability": "With a CVSS score of 5.5 the vulnerability is considered moderate in severity. The EPSS score of less than 1% indicates that the overall probability of exploitation is very low, and the vulnerability is not currently listed in CISA\u2019s KEV catalog. The attack vector is likely local or requires privileged execution, so compromising the system is required for an attacker to exploit the flaw. Given the low exploitation probability and the availability of a patch, the risk to most users remains low, though a kernel crash would result in a denial of service for affected users."}}}}, "created": "2025-06-24T09:44:21.557677+00:00", "updated": "2026-04-20T16:30:06.291912+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}