CVE-2021-47650: ASoC: soc-compress: prevent the potentially use of null pointer
In the Linux kernel, the following vulnerability has been resolved:
ASoC: soc-compress: prevent the potentially use of null pointer
There is one call trace that snd_soc_register_card()
->snd_soc_bind_card()->soc_init_pcm_runtime()
->snd_soc_dai_compress_new()->snd_soc_new_compress().
In the trace the 'codec_dai' transfers from card->dai_link,
and we can see from the snd_soc_add_pcm_runtime() in
snd_soc_bind_card() that, if value of card->dai_link->num_codecs
is 0, then 'codec_dai' could be null pointer caused
by index out of bound in 'asoc_rtd_to_codec(rtd, 0)'.
And snd_soc_register_card() is called by various platforms.
Therefore, it is better to add the check in the case of misusing.
And because 'cpu_dai' has already checked in soc_init_pcm_runtime(),
there is no need to check again.
Adding the check as follow, then if 'codec_dai' is null,
snd_soc_new_compress() will not pass through the check
'if (playback + capture != 1)', avoiding the leftover use of
'codec_dai'.
Security readout for executives and security teams
Plain-English summary
CVE-2021-47650 is a Linux kernel audio subsystem defect where an invalid ASoC card configuration could lead to use of a null codec pointer during compressed audio setup. The sources describe a defensive kernel fix, but provide no CVSS score, confirmed impact, or exploitation evidence.
Executive priority
Treat as a patch-management item unless your fleet includes Linux-based embedded, mobile, appliance, or media devices using SoC audio. There is no source-backed evidence of active exploitation or high business urgency.
Technical view
In the ASoC compressed-audio registration path, codec_dai can become null when card->dai_link->num_codecs is 0. The fix adds a codec_dai check in snd_soc_new_compress(), preventing later logic from using that null pointer.
Likely exposure
Exposure is limited to Linux kernels using affected ASoC compressed-audio code paths, typically systems with relevant SoC audio drivers. The bundle lists Linux as affected and includes stable kernel fix references.
Exploitation context
No active exploitation is indicated. The CVE is not marked KEV, and the provided sources do not describe exploitability, attacker prerequisites, or weaponized use.
Researcher notes
The record lacks CVSS, CWE, explicit impact, and exploitability details. Analysis should stay focused on the null codec_dai defensive check and affected stable kernel lines named by the CVE sources.
Mitigation direction
Update to a Linux kernel containing the referenced stable fixes.
Check vendor or distribution kernel advisories for backported fixes.
Prioritize embedded or appliance fleets using SoC audio hardware.
Avoid assuming non-audio Linux servers are exposed without kernel and hardware validation.
Validation and detection
Inventory kernel versions and distribution patch levels.
Identify systems using ASoC and compressed-audio kernel paths.
Confirm whether referenced stable commits are present or backported.
Review vendor advisories for affected kernel package status.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2021-47650 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
0ADP providers
7Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
Feb 26, 2025, 01:54 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.