CVE-2024-58077: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-58077 affects the Linux kernel's ASoC (ALSA System on Chip) sound driver component. The vulnerability was discovered on March 6, 2025, and involves improper error handling in the soc-pcm.c file. Specifically, the issue relates to how the socpcmret() function handles -EINVAL error messages during the .prepare callback (NVD, Red Hat).

The vulnerability stems from the socpcmret() function ignoring -EINVAL error messages in the common error handling path. This behavior was implemented in commit 1f5664351410 which lowered the log severity for "no backend DAIs enabled" messages. However, this implementation was deemed over-kill as it affected many functions beyond its intended scope. The -EINVAL error should only be ignored when dealing with invalid parameters from userspace (Kernel Commit). According to Red Hat's assessment, this vulnerability has been assigned a CVSS v3.1 Base Score of 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) (Red Hat).

The primary impact of this vulnerability is the potential for a denial-of-service attack on the system's syslog and disk space. When invalid parameters are received from userspace, the improper error handling could allow attackers to flood the system logs, potentially affecting system performance and storage capacity (Red Hat).

The vulnerability has been fixed by removing the use of socpcmret() in the .prepare callback and implementing direct error returns. This change prevents the potential for log-based denial-of-service attacks while maintaining proper error handling. The fix has been incorporated into various Linux kernel versions, including 6.1.129-1 for Debian bookworm and 6.12.17-1 for Debian sid/trixie (Debian).