CVE-2025-40132: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-40132 is a vulnerability discovered in the Linux kernel, specifically affecting the Intel Sound Open Firmware (SOF) SoundWire (SDW) implementation. The vulnerability was disclosed on November 11, 2025, and affects various Linux distributions. The issue occurs in the create_sdw_dailink() function where the code incorrectly assumes that if include_sidecar is true, the codec on that link has an add_sidecar callback, while there could be other codecs on the same link that do not have this callback (Ubuntu Security, Red Hat CVE).

The vulnerability exists in the ASoC (ALSA System on Chip) Intel SOF SDW driver implementation. The issue stems from a NULL pointer dereference in the create_sdw_dailink() function where the code fails to verify if sof_end->codec_info->add_sidecar is not NULL before calling it. The original implementation made an incorrect assumption about the presence of an add_sidecar callback when include_sidecar is set to true (Debian Security).

The vulnerability could lead to a system crash due to NULL pointer dereference when certain conditions are met in the Intel SOF SDW driver implementation. This primarily affects systems using the Intel Sound Open Firmware with SoundWire audio codecs (AttackerKB).

The vulnerability has been fixed in various Linux distributions through kernel updates. Debian has released fixes in versions 6.12.57-1 for trixie and 6.17.9-1 for sid. Ubuntu has marked this as a medium priority issue and provided updates for affected versions (Debian Security, Ubuntu Security).